We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
Fail2ban dovecot rule need, please
Fail2ban dovecot rule need, please
Hello. I have a lot of try to access to my system and I don´t known how to ban this.
I have fail2ban activated and I had try to limit this problem, but I can't get the correct rule.
I have a lot of this in my /var/log/dovecot.log
Nov 13 12:01:03 auth: Error: passwd-file(openvpn1,45.125.66.79): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 13 12:04:21 auth: Error: passwd-file(bill,185.234.219.28): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 13 12:04:45 auth: Error: passwd-file(sqladmin,45.125.65.124): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 13 12:09:27 auth: Error: passwd-file(sqlexec,45.125.65.124): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 13 12:11:12 auth: Error: passwd-file(openvpn12,45.125.66.79): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 13 12:13:25 auth: Error: passwd-file(sqlserver,45.125.65.124): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 13 12:14:39 auth: Error: passwd-file(impresora,185.234.219.28): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 13 12:17:45 auth: Error: passwd-file(sqlservice,45.125.65.124): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 13 12:21:17 auth: Error: passwd-file(openvpn123,45.125.66.79): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 13 12:22:14 auth: Error: passwd-file(squirrelmail,45.125.65.124): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 13 12:24:42 auth: Error: passwd-file(amanda,185.234.219.28): stat(/etc/exim4/domains//passwd) failed: No such file or directory
How can I put a rule to ban this type of access?.
Thanks in advance
I have fail2ban activated and I had try to limit this problem, but I can't get the correct rule.
I have a lot of this in my /var/log/dovecot.log
Nov 13 12:01:03 auth: Error: passwd-file(openvpn1,45.125.66.79): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 13 12:04:21 auth: Error: passwd-file(bill,185.234.219.28): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 13 12:04:45 auth: Error: passwd-file(sqladmin,45.125.65.124): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 13 12:09:27 auth: Error: passwd-file(sqlexec,45.125.65.124): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 13 12:11:12 auth: Error: passwd-file(openvpn12,45.125.66.79): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 13 12:13:25 auth: Error: passwd-file(sqlserver,45.125.65.124): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 13 12:14:39 auth: Error: passwd-file(impresora,185.234.219.28): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 13 12:17:45 auth: Error: passwd-file(sqlservice,45.125.65.124): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 13 12:21:17 auth: Error: passwd-file(openvpn123,45.125.66.79): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 13 12:22:14 auth: Error: passwd-file(squirrelmail,45.125.65.124): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 13 12:24:42 auth: Error: passwd-file(amanda,185.234.219.28): stat(/etc/exim4/domains//passwd) failed: No such file or directory
How can I put a rule to ban this type of access?.
Thanks in advance
Re: Fail2ban dovecot rule need, please
I couldn't find any regex's on the internet that worked for me, so I went and wrote my own. Just add this line to your etc/fail2ban/filter.d/dovecot.conf:
Here's the results of my regex test:
Here's a helpful tool for testing regex's (aka regular exrpessions): https://www.regextester.com/94338
And this Digital Ocean article explains how fail2ban works: https://www.digitalocean.com/community/ ... nux-server
Code: Select all
^%(__prefix_line)sauth: Error: passwd-file\(.*\,<HOST>\)\: stat\(.*\) failed: No such file or directory\s$
Code: Select all
root@do:~# fail2ban-regex /var/log/dovecot.log /etc/fail2ban/filter.d/dovecot.conf
Running tests
=============
Use failregex filter file : dovecot, basedir: /etc/fail2ban
Use log file : /var/log/dovecot.log
Use encoding : UTF-8
Results
=======
Failregex: 2400 total
|- #) [# of hits] regular expression
| 1) [2114] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?|[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*auth: Error: passwd-file\(.*\,<HOST>\)\: stat\(.*\) failed: No such file or directory\s$
| 3) [123] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?|[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>, lip=(\d{1,3}\.){3}\d{1,3}(, session=<\w+>)?(, TLS( handshaking)?(: Disconnected)?)?\s*$
| 5) [163] (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*$
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [6346] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
`-
Lines: 6346 lines, 0 ignored, 2400 matched, 3946 missed [processed in 0.55 sec]
And this Digital Ocean article explains how fail2ban works: https://www.digitalocean.com/community/ ... nux-server