Can you grep/zgrep to get the fail2ban logs that show when fail2ban has
actually "found" the specific log entries for the IP that's being banned?
Depending on what version you're using, the log file will show the
timestamp from the actual log file, so you can troubleshoot exactly what
failures it's finding. So, I'm not after the dovecot log but the fail2ban
log saying "found [ip address]".
For example, my fail2ban.log shows this for my "crawlers" jail:
2017-09-01 08:45:52,144 fail2ban.filter [2469]: INFO [crawlers]
Found XX.XX.XX.XX - 2017-08-31 08:55:10
Because it shows the actual time of the item in the original log file, this
will help to clarify exactly what is causing f2b to ban these addresses -
whether it's getting duplicate info from somewhere, for example. If you can
grep for that ip address in fail2ban.log you'll get a clear picture of
exactly what it's "found" to make it ban the address.
Often, when this has happened to me it's related to rotating of log files -
if a log file is rotated and renamed, fail2ban might "find" the failure as
a new failure. So if you've got it in dovecot.log and then dovecot.log gets
rotated to dovecot.log.1, fail2ban can find it as a new failure cos
dovecot.log.1 is a "new" file, so fail2ban says "oh look, all these new
failures in this log file". But you've only got "dovecot.log" as your
logpath in your jail conf, so unless you've got some other program that's
doing something with the log file, I guess that can't be the problem. It's
worth mentioning in case it sparks an idea.
Tony Collins
On 27 August 2017 at 15:08, chaouche yacine via Fail2ban-users <
fail2ban-users@lists.sourceforge.net> wrote:
> Dear list,
>
> THE SETUP
> ---------
> I decided to have two jails to monitor my dovecot log : one for the small
> time frame [dovecot] and one for the large time frame [dovecot-long].
>
> [dovecot]
> enabled = true
> port = all
> filter = dovecot
> logpath = /var/log/dovecot.log
>
> [dovecot-long]
> findtime = 86400
> maxretries = 10
> # 5 days
> bantime = 432000
> enabled = true
> port = all
> filter = dovecot
> logpath = /var/log/dovecot.log
>
>
> THE EXPECTED RESULTS
> --------------------
> The dovecot-long jail should ban after 10 fails in 1 day.
>
> THE ACTUAL RESULTS
> ------------------
> The dovecot-long jail is banning an IP that hasn't 10 fails in 1 day. For
> example :
>
> root@messagerie[10.10.10.19] ~ # zgrep imap-login.*221.228.229.49
> /var/log/dovecot.log*
> /var/log/dovecot.log.2.gz:Aug 25 12:40:31 imap-login: Info: Disconnected
> (auth failed, 1 attempts in 7 secs): user=<a.chaou...@domain.tld>,
> method=PLAIN, rip=221.228.229.49, lip=10.10.10.19, TLS,
> session=<tWMlaZJX9ADd5OUx>
> /var/log/dovecot.log.2.gz:Aug 25 23:15:36 imap-login: Info: Disconnected
> (auth failed, 1 attempts in 5 secs): user=<administra...@domain.tld>,
> method=PLAIN, rip=221.228.229.49, lip=10.10.10.19, TLS,
> session=<PKyLSJtXXgDd5OUx>
> /var/log/dovecot.log.2.gz:Aug 26 01:49:50 imap-login: Info: Disconnected
> (auth failed, 1 attempts in 8 secs): user=<cont...@domain.tld>,
> method=PLAIN, rip=221.228.229.49, lip=10.10.10.19, TLS: Disconnected,
> session=<nGftb51X/ADd5OUx>
> /var/log/dovecot.log.4.gz:Jul 30 11:00:38 imap-login: Info: Disconnected
> (auth failed, 1 attempts in 5 secs): user=<sde>, method=PLAIN,
> rip=221.228.229.49, lip=10.10.10.19, TLS: Disconnected,
> session=<Kv0q/IVVaQDd5OUx>
> /var/log/dovecot.log.4.gz:Aug 05 17:48:28 imap-login: Info: Disconnected
> (auth failed, 1 attempts in 8 secs): user=<chai...@domain.tld>,
> method=PLAIN, rip=221.228.229.49, lip=10.10.10.19, TLS,
> session=<lVyQYQRWGgDd5OUx>
> /var/log/dovecot.log.4.gz:Aug 14 00:49:21 imap-login: Info: Disconnected
> (auth failed, 1 attempts in 6 secs): user=<radioculture>, method=PLAIN,
> rip=221.228.229.49, lip=10.10.10.19, TLS, session=<J3mfMatWdADd5OUx>
> root@messagerie[10.10.10.19] ~ #
>
>
> This is 6 fails in nearly 2 months, yet the IP was banned by the
> dovecot-long jail :
>
> root@messagerie[10.10.10.19] ~ # zgrep 221.228.229.49
> /var/log/fail2ban.log.*
> /var/log/fail2ban.log.1:2017-08-26 01:49:50,396 fail2ban.actions[10631]:
> WARNING [dovecot-long] Ban 221.228.229.49
> root@messagerie[10.10.10.19] ~ #
>
>
>
> Anyone knows how can I troubleshoot this ?
>
> -- Yassine.
>
>
>
>
>
> Complete jail.local
> -------------------
>
> oot@messagerie[10.10.10.19] ~ # cat /etc/fail2ban/jail.local
> [DEFAULT]
> action = shorewall
> ignoreip = 127.0.0.1/8 10.10.10.0/24 172.16.0.0/16 192.168.0.0/16
>
> # ychaouche
> # le default est à 10 minutes,
> # je l'ai mis à 1 journée.
> bantime = 86400
>
> [postfix-sasl]
> enabled = true
> port = all
> filter = postfix-sasl
> #action = shorewall
> logpath = /var/log/mail.warn
> maxretry = 3
> findtime = 600
>
> [postfix]
> enabled = true
> port = all
> filter = postfix
> logpath = /var/log/mail.log
>
> [dovecot]
> enabled = true
> port = all
> filter = dovecot
> logpath = /var/log/dovecot.log
>
> [dovecot-long]
> findtime = 86400
> maxretries = 10
> # 5 days
> bantime = 432000
> enabled = true
> port = all
> filter = dovecot
> logpath = /var/log/dovecot.log
>
> [ssh]
> port = all
> root@messagerie[10.10.10.19] ~ #
>
>
>
> My defaults from jail.conf
> ---------------------------
>
>
> [DEFAULT]
> ignoreip = 127.0.0.1/8
> ignorecommand =
> bantime = 600
> findtime = 600
> maxretry = 3
>
>
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
