Morning,

A new K9 Mail client gets banned all the time and I am trying to work
out why. 

I have this regex: 

failregex = auth:.+dovecot:auth.+authentication\s+failure;.+rhost=<HOST>

            dovecot:.+rip=<HOST>.+wrong version number 
            dovecot:.+tried to use disallowed plaintext auth.+rip=<HOST>

            dovecot:.+auth failed.+rip=<HOST> 
            dovecot:.+no auth attemps.+rip=<HOST> 

The mail.log has lines like these. The last line spams the log several
times a second. 

Jul 11 06:03:12 mx10 dovecot: imap-login: Login: us...@example.org>,
method=PLAIN, rip=94.109.25.57, lip=172.31.1.100, mpid=17126, TLS,
TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits) 

Jul 11 06:23:07 mx10 dovecot: imap(us...@example.co.uk): Connection
closed (IDLE running for 0.001 + waiting input for 688.172 secs, 2 B in
+ 10+0 B out, state=wait-input) in=179 out=1726 
user2  

So I tested the regex and had 11 hits - Unsure how to show those matched
lines. 

# fail2ban-regex /var/log/mail.log.1 `pwd`/filter.d/dovecot.conf -r

Running tests
=============

Use failregex filter file : dovecot, basedir: /etc/fail2ban
Use log file : /var/log/mail.log.1
Use encoding : UTF-8

Results
=======

Failregex: 11 total
|- #) [# of hits] regular expression
| 4) [11] dovecot:.+auth failed.+rip=<HOST>
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
| [6128] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?:
Year)?
`-

Lines: 6128 lines, 0 ignored, 11 matched, 6117 missed
[processed in 0.77 sec]

Missed line(s): too many to print. Use --print-all-missed to print all
6117 lines 

For the timebeing I have set the IPs in the ignoreip regex.   

I've not seen the dovecot message " Connection closed (IDLE running for
0.001 + waiting input for"  before. I don't know what it means, but the
logs sometimes get spammed by it from K9 Mail. 

Has anyone seen this afore? 

Best, Sophie
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Reply via email to