Dear F2B,
I am seeing a few lines that look like this in my dovecot log :
root@messagerie-principale[10.10.10.19] ~ # grep 20.89.58.29
/var/log/dovecot.log | head
Oct 13 13:17:53 auth-worker(48469): Info: sql(rai,20.89.58.29): unknown user
Oct 13 13:18:02 auth-worker(48469): Info: sql(rai,20.89.58.29): unknown user
Oct 13 13:18:21 auth-worker(48469): Info: sql(rai,20.89.58.29): unknown user
Oct 13 13:18:46 auth-worker(48469): Info: sql(rai,20.89.58.29): unknown user
Oct 13 13:19:01 auth-worker(48469): Info: sql(rai,20.89.58.29): unknown user
Oct 13 13:19:14 auth-worker(48469): Info: sql(rai,20.89.58.29): unknown user
Oct 13 13:19:31 auth-worker(48469): Info: sql(rai,20.89.58.29): unknown user
Oct 13 13:19:40 auth-worker(48469): Info: sql(rai,20.89.58.29): unknown user
Oct 13 13:19:59 auth-worker(48469): Info: sql(rai,20.89.58.29): unknown user
Oct 13 13:20:22 auth-worker(48469): Info: sql(rai,20.89.58.29): unknown user
root@messagerie-principale[10.10.10.19] ~ # grep 20.89.58.29
/var/log/dovecot.log | wc -l
401
root@messagerie-principale[10.10.10.19] ~ #
This seems to be an attempt to authenticate as an inexistant user and I
think the IP
sould be banned in this case.
What do you suggest ?
Here's my current dovecot filter
root@messagerie-principale[10.10.10.19] ~ # cat
/etc/fail2ban/filter.d/dovecot.conf
# Fail2Ban filter Dovecot authentication and pop3/imap server
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = (auth|dovecot(-auth)?|auth-worker)
failregex =
^%(__prefix_line)s(pam_unix(\(dovecot:auth\))?:)?\s+authentication
failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S*
rhost=<HOST>(\s+user=\S*)?\s*$
# suppression du $ de fin de ligne car j'ai changé le format de log de
dovecot pour ajouter lport et service qui ne sont pas matchés ici.
# ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted
login|Disconnected)(: Inactivity)? \(((auth failed, \d+ attempts)( in
\d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):(
user=<\S*>,)?( method=\S+,)? rip=<HOST>(, lip=(\d{1,3}\.){3}\d{1,3})?(,
TLS( handshaking(: SSL_accept\(\) failed: error:[\dA-F]+:SSL
routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(:
Disconnected)?)?(, session=<\S+>)?\s*$
^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted
login|Disconnected)(: Inactivity)? \(((auth failed, \d+ attempts)( in
\d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):(
user=<\S*>,)?( method=\S+,)? rip=<HOST>(, lip=(\d{1,3}\.){3}\d{1,3})?(,
TLS( handshaking(: SSL_accept\(\) failed: error:[\dA-F]+:SSL
routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(:
Disconnected)?)?(, session=<\S+>)?\s*
^%(__prefix_line)s(Info|dovecot: auth\(default\)):
pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the
underlying authentication module: \d+ Time\(s\)|Authentication failure
\(password mismatch\?\))\s*$
ignoreregex =
# DEV Notes:
# * the first regex is essentially a copy of pam-generic.conf
# * Probably doesn't do dovecot sql/ldap backends properly
# * Removed the 'no auth attempts' log lines from the matches because
produces
# lots of false positives on misconfigured MTAs making regexp unuseable
#
# Author: Martin Waschbuesch
# Daniel Black (rewrote with begin and end anchors)
root@messagerie-principale[10.10.10.19] ~ # grep "unknown user"
/etc/fail2ban/filter.d/dovecot.conf
root@messagerie-principale[10.10.10.19] ~ #
--
Yassine -- admin sysweb
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
