Fail2ban dovecot rule need, please
Fail2ban dovecot rule need, please
Hello. I have a lot of try to access to my system and I don´t known how to ban this.
I have fail2ban activated and I had try to limit this problem, but I can't get the correct rule.
I have a lot of this in my /var/log/dovecot.log
Nov 13 12:01:03 auth: Error: passwd-file(openvpn1,45.125.66.79): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 13 12:04:21 auth: Error: passwd-file(bill,185.234.219.28): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 13 12:04:45 auth: Error: passwd-file(sqladmin,45.125.65.124): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 13 12:09:27 auth: Error: passwd-file(sqlexec,45.125.65.124): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 13 12:11:12 auth: Error: passwd-file(openvpn12,45.125.66.79): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 13 12:13:25 auth: Error: passwd-file(sqlserver,45.125.65.124): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 13 12:14:39 auth: Error: passwd-file(impresora,185.234.219.28): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 13 12:17:45 auth: Error: passwd-file(sqlservice,45.125.65.124): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 13 12:21:17 auth: Error: passwd-file(openvpn123,45.125.66.79): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 13 12:22:14 auth: Error: passwd-file(squirrelmail,45.125.65.124): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 13 12:24:42 auth: Error: passwd-file(amanda,185.234.219.28): stat(/etc/exim4/domains//passwd) failed: No such file or directory
How can I put a rule to ban this type of access?.
Thanks in advance
I have fail2ban activated and I had try to limit this problem, but I can't get the correct rule.
I have a lot of this in my /var/log/dovecot.log
Nov 13 12:01:03 auth: Error: passwd-file(openvpn1,45.125.66.79): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 13 12:04:21 auth: Error: passwd-file(bill,185.234.219.28): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 13 12:04:45 auth: Error: passwd-file(sqladmin,45.125.65.124): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 13 12:09:27 auth: Error: passwd-file(sqlexec,45.125.65.124): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 13 12:11:12 auth: Error: passwd-file(openvpn12,45.125.66.79): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 13 12:13:25 auth: Error: passwd-file(sqlserver,45.125.65.124): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 13 12:14:39 auth: Error: passwd-file(impresora,185.234.219.28): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 13 12:17:45 auth: Error: passwd-file(sqlservice,45.125.65.124): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 13 12:21:17 auth: Error: passwd-file(openvpn123,45.125.66.79): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 13 12:22:14 auth: Error: passwd-file(squirrelmail,45.125.65.124): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 13 12:24:42 auth: Error: passwd-file(amanda,185.234.219.28): stat(/etc/exim4/domains//passwd) failed: No such file or directory
How can I put a rule to ban this type of access?.
Thanks in advance
Re: Fail2ban dovecot rule need, please
I couldn't find any regex's on the internet that worked for me, so I went and wrote my own. Just add this line to your etc/fail2ban/filter.d/dovecot.conf:
Here's the results of my regex test:
Here's a helpful tool for testing regex's (aka regular exrpessions): https://www.regextester.com/94338
And this Digital Ocean article explains how fail2ban works: https://www.digitalocean.com/community/ ... nux-server
Code: Select all
^%(__prefix_line)sauth: Error: passwd-file\(.*\,<HOST>\)\: stat\(.*\) failed: No such file or directory\s$Code: Select all
root@do:~# fail2ban-regex /var/log/dovecot.log /etc/fail2ban/filter.d/dovecot.conf
Running tests
=============
Use failregex filter file : dovecot, basedir: /etc/fail2ban
Use log file : /var/log/dovecot.log
Use encoding : UTF-8
Results
=======
Failregex: 2400 total
|- #) [# of hits] regular expression
| 1) [2114] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?|[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*auth: Error: passwd-file\(.*\,<HOST>\)\: stat\(.*\) failed: No such file or directory\s$
| 3) [123] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?|[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>, lip=(\d{1,3}\.){3}\d{1,3}(, session=<\w+>)?(, TLS( handshaking)?(: Disconnected)?)?\s*$
| 5) [163] (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*$
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [6346] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
`-
Lines: 6346 lines, 0 ignored, 2400 matched, 3946 missed [processed in 0.55 sec]
And this Digital Ocean article explains how fail2ban works: https://www.digitalocean.com/community/ ... nux-server