Dear list,
THE SETUP---------I decided to have two jails to monitor my dovecot log : one
for the small time frame [dovecot] and one for the large time frame
[dovecot-long].
[dovecot]
enabled = true
port = all
filter = dovecot
logpath = /var/log/dovecot.log
[dovecot-long]
findtime = 86400
maxretries = 10
# 5 days
bantime = 432000
enabled = true
port = all
filter = dovecot
logpath = /var/log/dovecot.log
THE EXPECTED RESULTS--------------------The dovecot-long jail should ban after
10 fails in 1 day.
THE ACTUAL RESULTS------------------The dovecot-long jail is banning an IP that
hasn't 10 fails in 1 day. For example :
root@messagerie[10.10.10.19] ~ # zgrep imap-login.*221.228.229.49
/var/log/dovecot.log*/var/log/dovecot.log.2.gz:Aug 25 12:40:31 imap-login:
Info: Disconnected (auth failed, 1 attempts in 7 secs):
user=<a.chaou...@domain.tld>, method=PLAIN, rip=221.228.229.49,
lip=10.10.10.19, TLS, session=<tWMlaZJX9ADd5OUx>
/var/log/dovecot.log.2.gz:Aug 25 23:15:36 imap-login: Info: Disconnected (auth
failed, 1 attempts in 5 secs): user=<administra...@domain.tld>, method=PLAIN,
rip=221.228.229.49, lip=10.10.10.19, TLS, session=<PKyLSJtXXgDd5OUx>
/var/log/dovecot.log.2.gz:Aug 26 01:49:50 imap-login: Info: Disconnected (auth
failed, 1 attempts in 8 secs): user=<cont...@domain.tld>, method=PLAIN,
rip=221.228.229.49, lip=10.10.10.19, TLS: Disconnected,
session=<nGftb51X/ADd5OUx>
/var/log/dovecot.log.4.gz:Jul 30 11:00:38 imap-login: Info: Disconnected (auth
failed, 1 attempts in 5 secs): user=<sde>, method=PLAIN, rip=221.228.229.49,
lip=10.10.10.19, TLS: Disconnected, session=<Kv0q/IVVaQDd5OUx>
/var/log/dovecot.log.4.gz:Aug 05 17:48:28 imap-login: Info: Disconnected (auth
failed, 1 attempts in 8 secs): user=<chai...@domain.tld>, method=PLAIN,
rip=221.228.229.49, lip=10.10.10.19, TLS, session=<lVyQYQRWGgDd5OUx>
/var/log/dovecot.log.4.gz:Aug 14 00:49:21 imap-login: Info: Disconnected (auth
failed, 1 attempts in 6 secs): user=<radioculture>, method=PLAIN,
rip=221.228.229.49, lip=10.10.10.19, TLS, session=<J3mfMatWdADd5OUx>
root@messagerie[10.10.10.19] ~ #
This is 6 fails in nearly 2 months, yet the IP was banned by the dovecot-long
jail :
root@messagerie[10.10.10.19] ~ # zgrep 221.228.229.49 /var/log/fail2ban.log.*
/var/log/fail2ban.log.1:2017-08-26 01:49:50,396 fail2ban.actions[10631]:
WARNING [dovecot-long] Ban 221.228.229.49
root@messagerie[10.10.10.19] ~ #
Anyone knows how can I troubleshoot this ?
-- Yassine.
Complete jail.local-------------------
oot@messagerie[10.10.10.19] ~ # cat /etc/fail2ban/jail.local
[DEFAULT]
action = shorewall
ignoreip = 127.0.0.1/8 10.10.10.0/24 172.16.0.0/16 192.168.0.0/16
# ychaouche
# le default est à 10 minutes,
# je l'ai mis à 1 journée.
bantime = 86400
[postfix-sasl]
enabled = true
port = all
filter = postfix-sasl
#action = shorewall
logpath = /var/log/mail.warn
maxretry = 3
findtime = 600
[postfix]
enabled = true
port = all
filter = postfix
logpath = /var/log/mail.log
[dovecot]
enabled = true
port = all
filter = dovecot
logpath = /var/log/dovecot.log
[dovecot-long]
findtime = 86400
maxretries = 10
# 5 days
bantime = 432000
enabled = true
port = all
filter = dovecot
logpath = /var/log/dovecot.log
[ssh]
port = all
root@messagerie[10.10.10.19] ~ #
My defaults from jail.conf---------------------------
[DEFAULT]
ignoreip = 127.0.0.1/8
ignorecommand =
bantime = 600
findtime = 600
maxretry = 3
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
