I have installed Fail2ban on Centos 6.7 and configured it to handled failed
login attempts to dovecot. I tried to configure it based on various
different directions on the web, but no luck.
It appears the filter is working correctly, but the action never seems to
get executed
fail2ban-client status dovecot-pop3imap
----------------------------------------------------------------
Status for the jail: dovecot-pop3imap
|- Filter
| |- Currently failed: 1
| |- Total failed: 9
| `- File list: /var/log/maillog
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
================================================================
fail2ban-client -d
----------------------------------------------------------------
['set', 'syslogsocket', 'auto']
['set', 'loglevel', 'INFO']
['set', 'logtarget', '/var/log/fail2ban']
['set', 'dbfile', '/var/lib/fail2ban/fail2ban.sqlite3']
['set', 'dbpurgeage', 86400]
['add', 'dovecot-pop3imap', 'auto']
['set', 'dovecot-pop3imap', 'usedns', 'warn']
['set', 'dovecot-pop3imap', 'addlogpath', '/var/log/maillog', 'head']
['set', 'dovecot-pop3imap', 'maxretry', 20]
['set', 'dovecot-pop3imap', 'addignoreip', '127.0.0.1/8']
['set', 'dovecot-pop3imap', 'logencoding', 'auto']
['set', 'dovecot-pop3imap', 'bantime', 172800]
['set', 'dovecot-pop3imap', 'ignorecommand', '']
['set', 'dovecot-pop3imap', 'findtime', 3600]
['set', 'dovecot-pop3imap', 'addfailregex', '(?: pop3-login|imap-login):
.*(?:Authentication failure|Aborted login \\(auth failed|Aborted login
\\(tried to use disabled|Disconnected \\(auth failed|Aborted login \\(\\d+
authentication attempts).*rip=(?P<host>\\S*),.*']
['set', 'dovecot-pop3imap', 'addaction', 'iptables-multiport']
['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'actionban',
'<iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>']
['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'actionstop',
'<iptables> -D <chain> -p <protocol> -m multiport --dports <port> -j
f2b-<name>\n<iptables> -F f2b-<name>\n<iptables> -X f2b-<name>']
['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'actionstart',
'<iptables> -N f2b-<name>\n<iptables> -A f2b-<name> -j
<returntype>\n<iptables> -I <chain> -p <protocol> -m multiport --dports
<port> -j f2b-<name>']
['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'actionunban',
'<iptables> -D f2b-<name> -s <ip> -j <blocktype>']
['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'actioncheck',
"<iptables> -n -L <chain> | grep -q 'f2b-<name>[ \\t]'"]
['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'iptables',
'iptables <lockingopt>']
['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'known/chain',
'INPUT']
['set', 'dovecot-pop3imap', 'action', 'iptables-multiport',
'known/lockingopt', '']
['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'protocol',
'tcp']
['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'name',
'dovecot-pop3imap']
['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'chain',
'INPUT']
['set', 'dovecot-pop3imap', 'action', 'iptables-multiport',
'known/__name__', 'Init']
['set', 'dovecot-pop3imap', 'action', 'iptables-multiport',
'known/protocol', 'tcp']
['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'known/port',
'ssh']
['set', 'dovecot-pop3imap', 'action', 'iptables-multiport',
'known/returntype', 'RETURN']
['set', 'dovecot-pop3imap', 'action', 'iptables-multiport',
'known/iptables', 'iptables <lockingopt>']
['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'lockingopt',
'']
['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'known/name',
'default']
['set', 'dovecot-pop3imap', 'action', 'iptables-multiport',
'known/blocktype', 'REJECT --reject-with icmp-port-unreachable']
['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'returntype',
'RETURN']
['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'blocktype',
'REJECT --reject-with icmp-port-unreachable']
['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'port',
'pop3,pop3s,imap,imaps']
['set', 'dovecot-pop3imap', 'addaction', 'sendmail-whois']
['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'actionban', 'printf
%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`\nDate: `LC_ALL=C
date +"%a, %d %h %Y %T %z"`\nFrom: <sendername> <<sender>>\nTo:
<dest>\\n\nHi,\\n\nThe IP <ip> has just been banned by Fail2Ban
after\n<failures> attempts against <name>.\\n\\n\nHere is more information
about <ip> :\\n\n`/usr/bin/whois <ip> || echo missing whois
program`\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender>
<dest>']
['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'actionstop',
'printf %b "Subject: [Fail2Ban] <name>: stopped on `uname -n`\nDate:
`LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: <sendername> <<sender>>\nTo:
<dest>\\n\nHi,\\n\nThe jail <name> has been
stopped.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender>
<dest>']
['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'actionstart',
'printf %b "Subject: [Fail2Ban] <name>: started on `uname -n`\nDate:
`LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: <sendername> <<sender>>\nTo:
<dest>\\n\nHi,\\n\nThe jail <name> has been started
successfully.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender>
<dest>']
['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'actionunban', '']
['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'actioncheck', '']
['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'name',
'dovecot-pop3imap']
['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'known/sender',
'fail2ban']
['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'dest',
'serverm...@myserver.com']
['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'known/__name__',
'Init']
['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'known/sendername',
'Fail2Ban']
['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'known/dest',
'root']
['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'sendername',
'Fail2Ban']
['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'sender',
'fail2ban']
['start', 'dovecot-pop3imap']
================================================================
Relevant part of jail.local
----------------------------------------------------------------
[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
port = pop3,pop3s,imap,imaps
action = iptables-multiport[name=dovecot-pop3imap,
port="pop3,pop3s,imap,imaps", protocol=tcp]
sendmail-whois[name=dovecot-pop3imap, dest=serverm...@myserver.com]
logpath = /var/log/maillog
maxretry = 20
findtime = 3600
bantime = 172800
================================================================
fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/dovecot-pop3imap.conf
----------------------------------------------------------------
Running tests
=============
Use failregex filter file : dovecot-pop3imap, basedir: /etc/fail2ban
Use log file : /var/log/maillog
Use encoding : UTF-8
Results
=======
Failregex: 927 total
|- #) [# of hits] regular expression
| 1) [927] (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted
login \(auth failed|Aborted login \(tried to use disabled|Disconnected
\(auth failed|Aborted login \(\d+ authentication
attempts).*rip=(?P<host>\S*),.*
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [28894] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?:
Year)?
`-
Lines: 28894 lines, 0 ignored, 927 matched, 27967 missed [processed in 3.86
sec]
Missed line(s): too many to print. Use --print-all-missed to print all
27967 lines
================================================================
No errors appear in the fail2ban log, even on Debug level of logging.
Email seems to work fine for the shutdown and startup of Fail2ban
Any ideas on why this may be happening?
Did I overlook something or is there a typo in my work?
Fail2ban version v0.9.3
CentOS release 6.7 (Final)
Thanks!!
------------------------------------------------------------------------------
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
