I use my own filter for dovecot - jail.local:
[dovecot]
enabled        = false
# ------------------------------------------------------------------------------
[dovecot-secure]
#enabled        = false
enabled        = true
filter        = my_dovecot_secure
...


my_dovecot_secure.conf:
[Definition]
# fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/my_dovecot_secure.conf


failregex = auth:.+dovecot:auth.+authentication\s+failure;.+rhost=<HOST>
            dovecot:.+rip=<HOST>.+wrong version number
            dovecot:.+tried to use disallowed plaintext auth.+rip=<HOST>
            dovecot:.+auth failed.+rip=<HOST>
            dovecot:.+no auth attemps.+rip=<HOST>


ignoreregex =

[0:root@bb8 ~ 1]$ rpm -qa 'fail2ban*'
fail2ban-server-0.10.2-1.fc27.noarch

Bill

On 4/30/2018 11:56 AM, Robert Kudyba wrote:
We are on Fedora 27 and our version:
rpm -q fail2ban
fail2ban-0.10.2-1.fc27.noarch

Sample log snip of a login attempt not caught:

Apr 29 16:12:26 ourhostname dovecot: imap-login: Disconnected (auth failed, 1 attempts in 7 secs): user=<oldu...@ourserver.edu <mailto:oldu...@ourserver.edu>>, method=PLAIN, rip=181.214.87.30, lip=x.x.x.x, TLS, session=<DKGzWgJraSu11lce

contents of dovecot.conf:

# Fail2Ban filter Dovecot authentication and pop3/imap server
#

[INCLUDES]

before = common.conf

[Definition]

_auth_worker = (?:dovecot: )?auth(?:-worker)?
_daemon = (?:dovecot(?:-auth)?|auth)

prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?: )?(?:%(__pam_auth)s(?:\(dovecot:auth\))?: |(?:pop3|imap)-login: )?(?:Info: )?<F-CONTENT>.+</F-CONTENT>$

failregex = ^authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot 
ruser=\S* rhost=<HOST>(?:\s+user=\S*)?\s*$
            ^(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth)\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$ ^pam\(\S+,<HOST>(?:,\S*)?\): pam_authenticate\(\) failed: (?:User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\)|Permission denied)\s*$
^[a-z\-]{3,15}\(\S*,<HOST>(?:,\S*)?\): (?:unknown user|invalid credentials)\s*$
<mdre-<mode>>

mdre-aggressive = ^(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:no auth attempts|disconnected before auth was ready,|client didn't finish \S+ auth,)(?: (?:in|waited) \d+ secs)?\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$

mdre-normal =

# Parameter `mode` - `normal` or `aggressive`.
# Aggressive mode can be used to match log-entries like:
#   'no auth attempts', 'disconnected before auth was ready', 'client didn't 
finish SASL auth'.
# Note it may produce lots of false positives on misconfigured MTAs.
# Ex.:
# filter = dovecot[mode=aggressive]
mode = normal

ignoreregex =

journalmatch = _SYSTEMD_UNIT=dovecot.service

datepattern = {^LN-BEG}TAI64N
              {^LN-BEG}

# DEV Notes:
# * the first regex is essentially a copy of pam-generic.conf
# * Probably doesn't do dovecot sql/ldap backends properly (resolved in edit 
21/03/2016)
#
# Author: Martin Waschbuesch
#         Daniel Black (rewrote with begin and end anchors)
#         Martin O'Neal (added LDAP authentication failure regex)
#         Sergey G. Brester aka sebres (reviewed, optimized, IPv6-compatibility)

169 should have been caught, if I read this correctly:

fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/dovecot.conf

Running tests
=============

Use   failregex filter file : dovecot, basedir: /etc/fail2ban
Use      datepattern : Default Detectors
Use         log file : /var/log/maillog
Use         encoding : ANSI_X3.4-1968


Results
=======

Failregex: 169 total
|-  #) [# of hits] regular expression
|   2) [169] ^(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth)\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [28744] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: 
ExYear)?
`-

Lines: 28744 lines, 0 ignored, 169 matched, 28575 missed
[processed in 6.30 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all 28575 
lines

in our jail.local:
[dovecot]
enabled = true
filter = dovecot
action = iptables-multiport[name=dovecot, port="pop3,imap", protocol=tcp]
logpath = /var/log/maillog*
maxretry = 3
findtime = 10800
bantime = 7200

Am I missing something?



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Reply via email to