Page 1 of 1

Fail2ban dovecot rule need, please

Posted: Tue Nov 13, 2018 11:50 am
by tlozano
Hello. I have a lot of try to access to my system and I donĀ“t known how to ban this.
I have fail2ban activated and I had try to limit this problem, but I can't get the correct rule.
I have a lot of this in my /var/log/dovecot.log

Nov 13 12:01:03 auth: Error: passwd-file(openvpn1,45.125.66.79): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 13 12:04:21 auth: Error: passwd-file(bill,185.234.219.28): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 13 12:04:45 auth: Error: passwd-file(sqladmin,45.125.65.124): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 13 12:09:27 auth: Error: passwd-file(sqlexec,45.125.65.124): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 13 12:11:12 auth: Error: passwd-file(openvpn12,45.125.66.79): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 13 12:13:25 auth: Error: passwd-file(sqlserver,45.125.65.124): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 13 12:14:39 auth: Error: passwd-file(impresora,185.234.219.28): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 13 12:17:45 auth: Error: passwd-file(sqlservice,45.125.65.124): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 13 12:21:17 auth: Error: passwd-file(openvpn123,45.125.66.79): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 13 12:22:14 auth: Error: passwd-file(squirrelmail,45.125.65.124): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 13 12:24:42 auth: Error: passwd-file(amanda,185.234.219.28): stat(/etc/exim4/domains//passwd) failed: No such file or directory

How can I put a rule to ban this type of access?.
Thanks in advance

Re: Fail2ban dovecot rule need, please

Posted: Thu May 16, 2019 3:53 pm
by Elfy
I couldn't find any regex's on the internet that worked for me, so I went and wrote my own. Just add this line to your etc/fail2ban/filter.d/dovecot.conf:

Code: Select all

^%(__prefix_line)sauth: Error: passwd-file\(.*\,<HOST>\)\: stat\(.*\) failed: No such file or directory\s$
Here's the results of my regex test:

Code: Select all

root@do:~# fail2ban-regex /var/log/dovecot.log /etc/fail2ban/filter.d/dovecot.conf

Running tests
=============

Use   failregex filter file : dovecot, basedir: /etc/fail2ban
Use         log file : /var/log/dovecot.log
Use         encoding : UTF-8


Results
=======

Failregex: 2400 total
|-  #) [# of hits] regular expression
|   1) [2114] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?|[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*auth: Error: passwd-file\(.*\,<HOST>\)\: stat\(.*\) failed: No such file or directory\s$
|   3) [123] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?|[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>, lip=(\d{1,3}\.){3}\d{1,3}(, session=<\w+>)?(, TLS( handshaking)?(: Disconnected)?)?\s*$
|   5) [163] (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [6346] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
`-

Lines: 6346 lines, 0 ignored, 2400 matched, 3946 missed [processed in 0.55 sec]
Here's a helpful tool for testing regex's (aka regular exrpessions): https://www.regextester.com/94338
And this Digital Ocean article explains how fail2ban works: https://www.digitalocean.com/community/ ... nux-server