Hi,
first of all: thank you very much to all developers and contributors
for providing fail2ban!
I have successfully set up fail2ban. Over all only the failregex for
roundcube-auth needed some adjustment which is clear as I do not use
the roundcube package from the Ubuntu repository and the dovecot jail
gave me a hard time.
OOTB the dovecot jail was not working at all.
The auth attempts get logged in /var/log/mail.log and look like this:
Feb 11 09:21:42 hardliner dovecot: imap-login: Disconnected (auth
failed, 2 attempts in 16 secs): user=<ichangedthisone>, method=PLAIN,
rip=109.41.230.17, lip=11.22.333.444, TLS, session=<x0WPsMsOrwBtKeYR>
From the failregex that were installed with the Ubuntu fail2ban
package none worked.
When I test these with fail2ban-regex, the above log line is missed.
Problem 1:
I developed the following failregex which is hit, when I test it with
fail2ban-regex, but when I test login to dovecot with this failregex
in place (Thunderbird with wrong IMAP-password), the status for the
dovecot jail stays at 0 failures.
^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted
login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed,
\d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+
auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>,
lip=(\d{1,3}\.){3}\d{1,3}(, TLS( handshaking)?(: Disconnected)?)?\s*(,
session=<\w+>)?$
In the dovecot wiki they suggest another failregex, which gets hit
when I test it with fail2ban-regex and works with Thunderbird login
attempts.
(?: pop3-login|imap-login): (?:Authentication failure|Aborted login
\(auth failed|Aborted login \(tried to use disabled|Disconnected
\(auth failed).*rip=(?P<host>\S*),.*
http://wiki2.dovecot.org/HowTo/Fail2Ban
But to get the dovevot jail working, problem 2 has to be surrounded as well:
Problem 2:
As shown in the dovecot wiki the ports are configured differently.
The default configuration of the dovecot jail looks like this:
[dovecot]
enabled = true
port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
filter = dovecot
logpath = /var/log/mail.log
But even with the above failregex the dovecot jail needs “imap, imaps”
as port to work, “imap2,imap3,imaps” is not working.
So finally I got a working configuration with port = imap,imaps and
the failregex (?: pop3-login|imap-login): (?:Authentication
failure|Aborted login \(auth failed|Aborted login \(tried to use
disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
I would have opened an issue on fail2ban@github and provided a patch
but so far I do not understand, why problem 1 occurs. How can a
failregex be hit by fail2ban-regex but not work with the server?
Any ideas on this?
Kind regards,
Ralph
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
