Have you tried using '<HOST>' instead of '(?P<host>\\S*)' which looks wrong due to the double backslash.
You are getting hits but maybe it can't find the IP address. Bill On 12/12/2015 11:55 PM, Brad wrote: > The same ip hits about once every minute, failing and filling up my log... > That was the reason I tried Fail2ban... > > > -----Original Message----- > From: Bill Shirley [mailto:bshir...@openmri-scottsboro.com] > Sent: Saturday, December 12, 2015 8:37 PM > To: fail2ban-users@lists.sourceforge.net > Subject: Re: [Fail2ban-users] Fail2ban not executing action > > I don't see any errors in your configuration. Could it be you don't have 20 > hits within one hour for the same IP address? > > Bill > > On 12/12/2015 10:48 PM, Brad wrote: >> I have installed Fail2ban on Centos 6.7 and configured it to handled >> failed login attempts to dovecot. I tried to configure it based on > various different directions on the web, but no luck. >> >> It appears the filter is working correctly, but the action never seems >> to get executed >> >> fail2ban-client status dovecot-pop3imap >> >> ---------------------------------------------------------------- >> >> Status for the jail: dovecot-pop3imap >> >> |- Filter >> >> | |- Currently failed: 1 >> >> | |- Total failed: 9 >> >> | `- File list: /var/log/maillog >> >> `- Actions >> >> |- Currently banned: 0 >> >> |- Total banned: 0 >> >> `- Banned IP list: >> >> ================================================================ >> >> fail2ban-client -d >> >> ---------------------------------------------------------------- >> >> ['set', 'syslogsocket', 'auto'] >> >> ['set', 'loglevel', 'INFO'] >> >> ['set', 'logtarget', '/var/log/fail2ban'] >> >> ['set', 'dbfile', '/var/lib/fail2ban/fail2ban.sqlite3'] >> >> ['set', 'dbpurgeage', 86400] >> >> ['add', 'dovecot-pop3imap', 'auto'] >> >> ['set', 'dovecot-pop3imap', 'usedns', 'warn'] >> >> ['set', 'dovecot-pop3imap', 'addlogpath', '/var/log/maillog', 'head'] >> >> ['set', 'dovecot-pop3imap', 'maxretry', 20] >> >> ['set', 'dovecot-pop3imap', 'addignoreip', '127.0.0.1/8'] >> >> ['set', 'dovecot-pop3imap', 'logencoding', 'auto'] >> >> ['set', 'dovecot-pop3imap', 'bantime', 172800] >> >> ['set', 'dovecot-pop3imap', 'ignorecommand', ''] >> >> ['set', 'dovecot-pop3imap', 'findtime', 3600] >> >> ['set', 'dovecot-pop3imap', 'addfailregex', '(?: >> pop3-login|imap-login): .*(?:Authentication failure|Aborted login >> \\(auth >> failed|Aborted login \\(tried to use disabled|Disconnected \\(auth >> failed|failed|Aborted login \\(\\d+ authentication >> attempts).*rip=(?P<host>\\S*),.*'] >> >> ['set', 'dovecot-pop3imap', 'addaction', 'iptables-multiport'] >> >> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', >> 'actionban', '<iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>'] >> >> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', >> 'actionstop', '<iptables> -D <chain> -p <protocol> -m multiport >> --dports <port> -j f2b-<name>\n<iptables> -F f2b-<name>\n<iptables> -X >> f2b-<name>'] >> >> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', >> 'actionstart', '<iptables> -N f2b-<name>\n<iptables> -A f2b-<name> -j >> <returntype>\n<iptables> -I <chain> -p <protocol> -m multiport >> --dports <port> -j f2b-<name>'] >> >> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', >> 'actionunban', '<iptables> -D f2b-<name> -s <ip> -j <blocktype>'] >> >> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', >> 'actioncheck', "<iptables> -n -L <chain> | grep -q 'f2b-<name>[ >> \\t]'"] >> >> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', >> 'iptables', 'iptables <lockingopt>'] >> >> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', >> 'known/chain', 'INPUT'] >> >> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', >> 'known/lockingopt', ''] >> >> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', >> 'protocol', 'tcp'] >> >> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'name', >> 'dovecot-pop3imap'] >> >> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'chain', >> 'INPUT'] >> >> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', >> 'known/__name__', 'Init'] >> >> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', >> 'known/protocol', 'tcp'] >> >> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', >> 'known/port', 'ssh'] >> >> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', >> 'known/returntype', 'RETURN'] >> >> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', >> 'known/iptables', 'iptables <lockingopt>'] >> >> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', >> 'lockingopt', ''] >> >> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', >> 'known/name', 'default'] >> >> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', >> 'known/blocktype', 'REJECT --reject-with icmp-port-unreachable'] >> >> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', >> 'returntype', 'RETURN'] >> >> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', >> 'blocktype', 'REJECT --reject-with icmp-port-unreachable'] >> >> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'port', >> 'pop3,pop3s,imap,imaps'] >> >> ['set', 'dovecot-pop3imap', 'addaction', 'sendmail-whois'] >> >> ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'actionban', >> 'printf %b "Subject: [Fail2Ban] <name>: banned <ip> from `uname >> -n`\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: <sendername> >> <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe IP <ip> has just been banned by >> Fail2Ban after\n<failures> attempts against <name>.\\n\\n\nHere is >> more information about <ip> :\\n\n`/usr/bin/whois <ip> || echo missing >> whois program`\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f >> <sender> <dest>'] >> >> ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'actionstop', >> 'printf %b "Subject: [Fail2Ban] <name>: stopped on `uname >> -n`\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: <sendername> >> <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe jail <name> has been >> stopped.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> >> <dest>'] >> >> ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'actionstart', >> 'printf %b "Subject: [Fail2Ban] <name>: started on `uname >> -n`\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: <sendername> >> <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe jail <name> has been started >> successfully.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f >> <sender> <dest>'] >> >> ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'actionunban', >> ''] >> >> ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'actioncheck', >> ''] >> >> ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'name', >> 'dovecot-pop3imap'] >> >> ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', >> 'known/sender', 'fail2ban'] >> >> ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'dest', >> 'serverm...@myserver.com'] >> >> ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', >> 'known/__name__', 'Init'] >> >> ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', >> 'known/sendername', 'Fail2Ban'] >> >> ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'known/dest', >> 'root'] >> >> ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'sendername', >> 'Fail2Ban'] >> >> ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'sender', >> 'fail2ban'] >> >> ['start', 'dovecot-pop3imap'] >> >> ================================================================ >> >> Relevant part of jail.local >> >> ---------------------------------------------------------------- >> >> [dovecot-pop3imap] >> >> enabled = true >> >> filter = dovecot-pop3imap >> >> port = pop3,pop3s,imap,imaps >> >> action = iptables-multiport[name=dovecot-pop3imap, >> port="pop3,pop3s,imap,imaps", protocol=tcp] >> >> sendmail-whois[name=dovecot-pop3imap, >> dest=serverm...@myserver.com] >> >> logpath = /var/log/maillog >> >> maxretry = 20 >> >> findtime = 3600 >> >> bantime = 172800 >> >> ================================================================ >> >> fail2ban-regex /var/log/maillog >> /etc/fail2ban/filter.d/dovecot-pop3imap.conf >> >> ---------------------------------------------------------------- >> >> Running tests >> >> ============= >> >> Use failregex filter file : dovecot-pop3imap, basedir: /etc/fail2ban >> >> Use log file : /var/log/maillog >> >> Use encoding : UTF-8 >> >> Results >> >> ======= >> >> Failregex: 927 total >> >> |- #) [# of hits] regular expression >> >> | 1) [927] (?: pop3-login|imap-login): .*(?:Authentication >> | failure|Aborted login \(auth failed|Aborted login \(tried to use >> disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication >> disabled|attempts).*rip=(?P<host>\S*),.* >> >> `- >> >> Ignoreregex: 0 total >> >> Date template hits: >> >> |- [# of hits] date format >> >> | [28894] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: > Year)? >> >> `- >> >> Lines: 28894 lines, 0 ignored, 927 matched, 27967 missed [processed in >> 3.86 sec] >> >> Missed line(s): too many to print. Use --print-all-missed to print >> all 27967 lines >> >> ================================================================ >> >> No errors appear in the fail2ban log, even on Debug level of logging. >> >> Email seems to work fine for the shutdown and startup of Fail2ban >> >> Any ideas on why this may be happening? >> >> Did I overlook something or is there a typo in my work? >> >> Fail2ban version v0.9.3 >> >> CentOS release 6.7 (Final) >> >> Thanks!! >> >> >> >> ---------------------------------------------------------------------- >> -------- >> >> >> >> _______________________________________________ >> Fail2ban-users mailing list >> Fail2ban-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users >> > > ---------------------------------------------------------------------------- > -- > _______________________________________________ > Fail2ban-users mailing list > Fail2ban-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > ------------------------------------------------------------------------------ > _______________________________________________ > Fail2ban-users mailing list > Fail2ban-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > ------------------------------------------------------------------------------ _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
