[Fail2ban-users] Unbanned IPs always get banned again, why!?

Mon, 11 Jun 2018 21:47:53 -0700 

I don't have much experience... but my Dovecot filter has always worked.
Recently I had a network issue in my server then a lot of Google Gmail IPs
trying to access my server's POP3 got banned. I try to unban them, but
every time I restart fail2ban service they get banned again, I don't
understand why. I thought I cleared everything.

*/etc/fail2ban/jail.local:*
findtime = 604800
bantime  = 2592000
maxretry = 3
...
[dovecot]
enabled = true
port = pop3,pop3s,imap,imaps
filter = dovecot
logpath = /var/log/maillog

*Me trying to clear everything:*
service fail2ban stop
rm /var/log/fail2ban.log
rm /var/log/maillog
rm /var/lib/fail2ban/fail2ban.sqlite3
service fail2ban start

*When I start, about 90 IPs gets instantly banned. Why? Where fail2ban got
them!?*

*/etc/fail2ban/filter.d/dovecot.conf:*
[INCLUDES]
before = common.conf
[Definition]
_daemon = (auth|dovecot(-auth)?|auth-worker)
failregex =
^%(__prefix_line)s(?:%(__pam_auth)s(?:\(dovecot:auth\))?:)?\s+authentication
failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S*
rhost=<HOST>(?:\s+user=\S*)?\s*$
            ^%(__prefix_line)s(?:pop3|imap)-login: (?:Info: )?(?:Aborted
login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts( in
\d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):(
user=<[^>]+>,)?( method=\S+,)? rip=<HOST>(?:, lip=\S+)?(?:, TLS(?:
handshaking(?:: SSL_accept\(\) failed: error:[\dA-F]+:SSL
routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(:
Disconnected)?)?(, session=<\S+>)?\s*$
            ^%(__prefix_line)s(?:Info|dovecot:
auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\):
pam_authenticate\(\) failed: (User not known to the underlying
authentication module: \d+ Time\(s\)|Authentication failure \(password
mismatch\?\))\s*$
            ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)):
(?:pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$
            ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): Info:
ldap\(\S*,<HOST>,\S*\): invalid credentials\s*$
ignoreregex =
[Init]
journalmatch = _SYSTEMD_UNIT=dovecot.service


Thanks!

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Reply via email to