I'm having a problem where legitimate mail (postfix) and imap (dovecot) users are getting blocked ... but let's just take dovecot right now.
I'm using fail2ban-server-0.10.4-1.el7.noarch from the EPEL repository. To troubleshoot why host 70.112.73.79 is getting banned, first I did (to get a smaller log sample): $ grep 70.112.73.79 /var/log/maillog >/tmp/mlog Then I ran: $ fail2ban-regex /tmp/mlog /etc/fail2ban/filter.d/dovecot.conf I got as a result: | | Lines: 4690 lines, 0 ignored, 0 matched, 4690 missed | Next, I copied dovecot.conf to try.conf and changed the mode from "normal" to "aggressive": | --- dovecot.conf 2018-10-04 09:26:22.000000000 +0000 | +++ try.conf 2020-01-04 17:26:23.863556792 +0000 | @@ -28,7 +28,8 @@ | # Note it may produce lots of false positives on misconfigured MTAs. | # Ex.: | # filter = dovecot[mode=aggressive] | -mode = normal | +#mode = normal | +mode = aggressive | | ignoreregex = Then I ran: $ fail2ban-regex /tmp/mlog /etc/fail2ban/filter.d/try.conf The result was: | | Lines: 4690 lines, 0 ignored, 1569 matched, 3121 missed | So I'm getting matches when mode is set to "aggressive" but not when mode is "normal". To confirm, I correlated the log entry that triggered the ban: | | Jan 4 17:09:10 tasha dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=70.112.73.79, lip=172.31.34.31, session=<tb4cfFObHYZGcElP> | to the filter, and it's matched by the "mdre-aggressive" regexp. I'm unsure why this is being matched, even though I never set the mode to "aggressive". Here are my configuration settings: >From jail.conf: | | # dovecot defaults to logging to the mail syslog facility | # but can be set by syslog_facility in the dovecot configuration. | [dovecot] | | port = pop3,pop3s,imap,imaps,submission,465,sieve | logpath = %(dovecot_log)s | backend = %(dovecot_backend)s | >From jail.d/local.conf: | | [dovecot] | enabled = true | Any ideas what I may be overlooking here? -- Courtney Rosenthal / c...@crosenthal.com / 512-573-5174 _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
