We are on Fedora 27 and our version:
rpm -q fail2ban
fail2ban-0.10.2-1.fc27.noarch
Sample log snip of a login attempt not caught:
Apr 29 16:12:26 ourhostname dovecot: imap-login: Disconnected (auth failed, 1
attempts in 7 secs): user=<oldu...@ourserver.edu>, method=PLAIN,
rip=181.214.87.30, lip=x.x.x.x, TLS, session=<DKGzWgJraSu11lce
contents of dovecot.conf:
# Fail2Ban filter Dovecot authentication and pop3/imap server
#
[INCLUDES]
before = common.conf
[Definition]
_auth_worker = (?:dovecot: )?auth(?:-worker)?
_daemon = (?:dovecot(?:-auth)?|auth)
prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?:
)?(?:%(__pam_auth)s(?:\(dovecot:auth\))?: |(?:pop3|imap)-login: )?(?:Info:
)?<F-CONTENT>.+</F-CONTENT>$
failregex = ^authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot
ruser=\S* rhost=<HOST>(?:\s+user=\S*)?\s*$
^(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth
failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+
auth)\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:,
session=<\S+>)?)\s*$
^pam\(\S+,<HOST>(?:,\S*)?\): pam_authenticate\(\) failed: (?:User
not known to the underlying authentication module: \d+ Time\(s\)|Authentication
failure \(password mismatch\?\)|Permission denied)\s*$
^[a-z\-]{3,15}\(\S*,<HOST>(?:,\S*)?\): (?:unknown user|invalid
credentials)\s*$
<mdre-<mode>>
mdre-aggressive = ^(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:no
auth attempts|disconnected before auth was ready,|client didn't finish \S+
auth,)(?: (?:in|waited) \d+ secs)?\):(?: user=<[^>]*>,)?(?: method=\S+,)?
rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
mdre-normal =
# Parameter `mode` - `normal` or `aggressive`.
# Aggressive mode can be used to match log-entries like:
# 'no auth attempts', 'disconnected before auth was ready', 'client didn't
finish SASL auth'.
# Note it may produce lots of false positives on misconfigured MTAs.
# Ex.:
# filter = dovecot[mode=aggressive]
mode = normal
ignoreregex =
journalmatch = _SYSTEMD_UNIT=dovecot.service
datepattern = {^LN-BEG}TAI64N
{^LN-BEG}
# DEV Notes:
# * the first regex is essentially a copy of pam-generic.conf
# * Probably doesn't do dovecot sql/ldap backends properly (resolved in edit
21/03/2016)
#
# Author: Martin Waschbuesch
# Daniel Black (rewrote with begin and end anchors)
# Martin O'Neal (added LDAP authentication failure regex)
# Sergey G. Brester aka sebres (reviewed, optimized, IPv6-compatibility)
169 should have been caught, if I read this correctly:
fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/dovecot.conf
Running tests
=============
Use failregex filter file : dovecot, basedir: /etc/fail2ban
Use datepattern : Default Detectors
Use log file : /var/log/maillog
Use encoding : ANSI_X3.4-1968
Results
=======
Failregex: 169 total
|- #) [# of hits] regular expression
| 2) [169] ^(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth
failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+
auth)\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:,
session=<\S+>)?)\s*$
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [28744] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?:
ExYear)?
`-
Lines: 28744 lines, 0 ignored, 169 matched, 28575 missed
[processed in 6.30 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 28575
lines
in our jail.local:
[dovecot]
enabled = true
filter = dovecot
action = iptables-multiport[name=dovecot, port="pop3,imap", protocol=tcp]
logpath = /var/log/maillog*
maxretry = 3
findtime = 10800
bantime = 7200
Am I missing something?
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
