Hi list,
My mail server using dovecot v2.2.33 on CentOS 7. I installed fail2ban
v0.9.7 from EPEL repo. I just noticed the dovecot filter seems not
working. My maillog have entries:
Dec 11 22:14:00 mail dovecot: imap-login: Disconnected (no auth attempts
in 0 secs): user=<>, rip=208.100.26.233, lip=10.11.22.68, TLS
handshaking: SSL_accept() failed: error:1408A0C1:SSL
routines:ssl3_get_client_hello:no shared cipher, session=<oBeRjh5gZ8nQZBrp>
Dec 12 03:10:02 mail dovecot: pop3-login: Disconnected (no auth attempts
in 0 secs): user=<>, rip=208.100.26.235, lip=10.11.22.68, TLS
handshaking: SSL_accept() failed: error:140760FC:SSL
routines:SSL23_GET_CLIENT_HELLO:unknown protocol, session=</7xDsSJgZ+DQZBrr>
But the test show no match:
# fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/dovecot.conf
Running tests
=============
Use failregex filter file : dovecot, basedir: /etc/fail2ban
Use log file : /var/log/maillog
Use encoding : UTF-8
Results
=======
*Failregex: 0 total*
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [24406] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?:
Year)?
`-
Lines: 24406 lines, 0 ignored, *0 matched*, 24406 missed
[processed in 3.56 sec]
Missed line(s): too many to print. Use --print-all-missed to print all
24406 lines
I enabled dovecot in jail.local:
[dovecot]
enabled = true
port = pop3,pop3s,imap,imaps,submission,465,sieve
logpath = %(dovecot_log)s
backend = %(dovecot_backend)s
I just use the default dovecot filter:
# cat /etc/fail2ban/filter.d/dovecot.conf
# Fail2Ban filter Dovecot authentication and pop3/imap server
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = (auth|dovecot(-auth)?|auth-worker)
failregex =
^%(__prefix_line)s(?:%(__pam_auth)s(?:\(dovecot:auth\))?:)?\s+authentication
failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S*
rhost=<HOST>(?:\s+user=\S*)?\s*$
^%(__prefix_line)s(?:pop3|imap)-login: (?:Info:
)?(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed,
\d+ attempts( in \d+ secs)?|tried to use (disabled|disallowed) \S+
auth)\):( user=<[^>]+>,)?( method=\S+,)? rip=<HOST>(?:, lip=\S+)?(?:,
TLS(?: handshaking(?:: SSL_accept\(\) failed: error:[\dA-F]+:SSL
routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(:
Disconnected)?)?(, session=<\S+>)?\s*$
^%(__prefix_line)s(?:Info|dovecot:
auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\):
pam_authenticate\(\) failed: (User not known to the underlying
authentication module: \d+ Time\(s\)|Authentication failure \(password
mismatch\?\))\s*$
^%(__prefix_line)s(?:auth|auth-worker\(\d+\)):
(?:pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$
^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): Info:
ldap\(\S*,<HOST>,\S*\): invalid credentials\s*$
ignoreregex =
[Init]
journalmatch = _SYSTEMD_UNIT=dovecot.service
Could someone help me on this? I must missed something here. BTW other
filters work fine.
Thanks.
Gao
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
