Thanks Bill!!! That resolved the problem. I wish I understood why that filter worked and the one from dovecot did not, even though the regex test was successful.
The issue may be related to the [INCLUDES] and [Init] blocks since they are missing from the filter that dovecot provides. Thanks again! Brad -----Original Message----- From: Bill Shirley [mailto:bshir...@openmri-scottsboro.com] Sent: Sunday, December 13, 2015 7:48 PM To: fail2ban-users@lists.sourceforge.net Subject: Re: [Fail2ban-users] Fail2ban not executing action Have you tried dovecot.conf? [1:root@elmo fail2ban 1]$ rpm -qa | grep fail fail2ban-server-0.9.3-1.fc22.noarch fail2ban-systemd-0.9.3-1.fc22.noarch [0:root@elmo filter.d]$ ls /etc/fail2ban/filter.d/ 3proxy.conf common.conf guacamole.conf perdition.conf sieve.conf apache-auth.conf counter-strike.conf horde.conf php-url-fopen.conf sogo-auth.conf apache-badbots.conf courier-auth.conf ignorecommands portsentry.conf solid-pop3d.conf apache-botsearch.conf courier-smtp.conf kerio.conf postfix.conf squid.conf apache-common.conf cyrus-imap.conf lighttpd-auth.conf postfix.local squirrelmail.conf apache-common.local directadmin.conf monit.conf postfix-rbl.conf sshd.conf apache-fakegooglebot.conf dovecot.conf my_apache-wplogin.conf postfix-sasl.conf sshd-ddos.conf apache-modsecurity.conf dropbear.conf my_dovecot_secure.conf postfix-sasl.local stunnel.conf apache-nohome.conf drupal-auth.conf mysqld-auth.conf proftpd.conf suhosin.conf apache-noscript.conf ejabberd-auth.conf nagios.conf pure-ftpd.conf tine20.conf apache-noscript.local exim-common.conf named-refused.conf qmail.conf uwimap-auth.conf apache-overflows.conf exim.conf nginx-botsearch.conf recidive.conf vsftpd.conf apache-pass.conf exim-spam.conf nginx-http-auth.conf roundcube-auth.conf webmin-auth.conf apache-shellshock.conf freeswitch.conf nsd.conf selinux-common.conf wuftpd.conf assp.conf froxlor-auth.conf openwebmail.conf selinux-ssh.conf xinetd-fail.conf asterisk.conf groupoffice.conf oracleims.conf sendmail-auth.conf botsearch-common.conf gssftpd.conf pam-generic.conf sendmail-reject.conf I actually use my_dovecot_secure.conf: failregex = auth:.+dovecot:auth.+authentication\s+failure;.+rhost=<HOST> dovecot:.+rip=<HOST>.+wrong version number dovecot:.+tried to use disallowed plaintext auth.+rip=<HOST> dovecot:.+auth failed.+rip=<HOST> HTH, Bill On 12/12/2015 10:48 PM, Brad wrote: > I have installed Fail2ban on Centos 6.7 and configured it to handled > failed login attempts to dovecot. I tried to configure it based on various different directions on the web, but no luck. > > It appears the filter is working correctly, but the action never seems > to get executed > > fail2ban-client status dovecot-pop3imap > > ---------------------------------------------------------------- > > Status for the jail: dovecot-pop3imap > > |- Filter > > | |- Currently failed: 1 > > | |- Total failed: 9 > > | `- File list: /var/log/maillog > > `- Actions > > |- Currently banned: 0 > > |- Total banned: 0 > > `- Banned IP list: > > ================================================================ > > fail2ban-client -d > > ---------------------------------------------------------------- > > ['set', 'syslogsocket', 'auto'] > > ['set', 'loglevel', 'INFO'] > > ['set', 'logtarget', '/var/log/fail2ban'] > > ['set', 'dbfile', '/var/lib/fail2ban/fail2ban.sqlite3'] > > ['set', 'dbpurgeage', 86400] > > ['add', 'dovecot-pop3imap', 'auto'] > > ['set', 'dovecot-pop3imap', 'usedns', 'warn'] > > ['set', 'dovecot-pop3imap', 'addlogpath', '/var/log/maillog', 'head'] > > ['set', 'dovecot-pop3imap', 'maxretry', 20] > > ['set', 'dovecot-pop3imap', 'addignoreip', '127.0.0.1/8'] > > ['set', 'dovecot-pop3imap', 'logencoding', 'auto'] > > ['set', 'dovecot-pop3imap', 'bantime', 172800] > > ['set', 'dovecot-pop3imap', 'ignorecommand', ''] > > ['set', 'dovecot-pop3imap', 'findtime', 3600] > > ['set', 'dovecot-pop3imap', 'addfailregex', '(?: > pop3-login|imap-login): .*(?:Authentication failure|Aborted login > \\(auth > failed|Aborted login \\(tried to use disabled|Disconnected \\(auth > failed|failed|Aborted login \\(\\d+ authentication > attempts).*rip=(?P<host>\\S*),.*'] > > ['set', 'dovecot-pop3imap', 'addaction', 'iptables-multiport'] > > ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', > 'actionban', '<iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>'] > > ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', > 'actionstop', '<iptables> -D <chain> -p <protocol> -m multiport > --dports <port> -j f2b-<name>\n<iptables> -F f2b-<name>\n<iptables> -X > f2b-<name>'] > > ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', > 'actionstart', '<iptables> -N f2b-<name>\n<iptables> -A f2b-<name> -j > <returntype>\n<iptables> -I <chain> -p <protocol> -m multiport > --dports <port> -j f2b-<name>'] > > ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', > 'actionunban', '<iptables> -D f2b-<name> -s <ip> -j <blocktype>'] > > ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', > 'actioncheck', "<iptables> -n -L <chain> | grep -q 'f2b-<name>[ > \\t]'"] > > ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', > 'iptables', 'iptables <lockingopt>'] > > ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', > 'known/chain', 'INPUT'] > > ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', > 'known/lockingopt', ''] > > ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', > 'protocol', 'tcp'] > > ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'name', > 'dovecot-pop3imap'] > > ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'chain', > 'INPUT'] > > ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', > 'known/__name__', 'Init'] > > ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', > 'known/protocol', 'tcp'] > > ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', > 'known/port', 'ssh'] > > ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', > 'known/returntype', 'RETURN'] > > ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', > 'known/iptables', 'iptables <lockingopt>'] > > ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', > 'lockingopt', ''] > > ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', > 'known/name', 'default'] > > ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', > 'known/blocktype', 'REJECT --reject-with icmp-port-unreachable'] > > ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', > 'returntype', 'RETURN'] > > ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', > 'blocktype', 'REJECT --reject-with icmp-port-unreachable'] > > ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'port', > 'pop3,pop3s,imap,imaps'] > > ['set', 'dovecot-pop3imap', 'addaction', 'sendmail-whois'] > > ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'actionban', > 'printf %b "Subject: [Fail2Ban] <name>: banned <ip> from `uname > -n`\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: <sendername> > <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe IP <ip> has just been banned by > Fail2Ban after\n<failures> attempts against <name>.\\n\\n\nHere is > more information about <ip> :\\n\n`/usr/bin/whois <ip> || echo missing > whois program`\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f > <sender> <dest>'] > > ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'actionstop', > 'printf %b "Subject: [Fail2Ban] <name>: stopped on `uname > -n`\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: <sendername> > <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe jail <name> has been > stopped.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> > <dest>'] > > ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'actionstart', > 'printf %b "Subject: [Fail2Ban] <name>: started on `uname > -n`\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: <sendername> > <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe jail <name> has been started > successfully.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f > <sender> <dest>'] > > ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'actionunban', > ''] > > ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'actioncheck', > ''] > > ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'name', > 'dovecot-pop3imap'] > > ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', > 'known/sender', 'fail2ban'] > > ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'dest', > 'serverm...@myserver.com'] > > ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', > 'known/__name__', 'Init'] > > ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', > 'known/sendername', 'Fail2Ban'] > > ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'known/dest', > 'root'] > > ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'sendername', > 'Fail2Ban'] > > ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'sender', > 'fail2ban'] > > ['start', 'dovecot-pop3imap'] > > ================================================================ > > Relevant part of jail.local > > ---------------------------------------------------------------- > > [dovecot-pop3imap] > > enabled = true > > filter = dovecot-pop3imap > > port = pop3,pop3s,imap,imaps > > action = iptables-multiport[name=dovecot-pop3imap, > port="pop3,pop3s,imap,imaps", protocol=tcp] > > sendmail-whois[name=dovecot-pop3imap, > dest=serverm...@myserver.com] > > logpath = /var/log/maillog > > maxretry = 20 > > findtime = 3600 > > bantime = 172800 > > ================================================================ > > fail2ban-regex /var/log/maillog > /etc/fail2ban/filter.d/dovecot-pop3imap.conf > > ---------------------------------------------------------------- > > Running tests > > ============= > > Use failregex filter file : dovecot-pop3imap, basedir: /etc/fail2ban > > Use log file : /var/log/maillog > > Use encoding : UTF-8 > > Results > > ======= > > Failregex: 927 total > > |- #) [# of hits] regular expression > > | 1) [927] (?: pop3-login|imap-login): .*(?:Authentication > | failure|Aborted login \(auth failed|Aborted login \(tried to use > disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication > disabled|attempts).*rip=(?P<host>\S*),.* > > `- > > Ignoreregex: 0 total > > Date template hits: > > |- [# of hits] date format > > | [28894] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)? > > `- > > Lines: 28894 lines, 0 ignored, 927 matched, 27967 missed [processed in > 3.86 sec] > > Missed line(s): too many to print. Use --print-all-missed to print > all 27967 lines > > ================================================================ > > No errors appear in the fail2ban log, even on Debug level of logging. > > Email seems to work fine for the shutdown and startup of Fail2ban > > Any ideas on why this may be happening? > > Did I overlook something or is there a typo in my work? > > Fail2ban version v0.9.3 > > CentOS release 6.7 (Final) > > Thanks!! > > > > ---------------------------------------------------------------------- > -------- > > > > _______________________________________________ > Fail2ban-users mailing list > Fail2ban-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > ---------------------------------------------------------------------------- -- _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users ------------------------------------------------------------------------------ _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
