[Fail2ban-users] Banned after 2x maxretry

[Yassine Chaouche]

Hello f2b,

I am monitoring[0] password mismatches for my dovecot server (which also 
serves
for SASL auth) and found out that a particular IP showed up several times in
the monitor.
A quick grep on the IP showed that it had at least 20 attempts[1] before it
got banned[2]. The jail config[3] shows that it has maxretry of 10/day.


What am I missing ?

Best,

--
Yassine -- sysadm


[0] My "Monitor" : https://i.imgur.com/IlhWucD.png

[1] Password mismatches
number of attempts : 20
root@messagerie-principale[10.10.10.19] ~ # grep 
"154.121.27.192.*Password" /var/log/dovecot.log | nl
     1  Mar 30 15:35:52 auth-worker(20288): Info: 
sql(hamid.mezi...@mydomain.tld,154.121.27.192): Password mismatch
     2  Mar 30 15:35:58 auth-worker(20288): Info: 
sql(hamid.mezi...@mydomain.tld,154.121.27.192): Password mismatch
     3  Mar 30 15:36:06 auth-worker(20288): Info: 
sql(hamid.mezi...@mydomain.tld,154.121.27.192): Password mismatch
     4  Mar 30 15:36:08 auth-worker(20288): Info: 
sql(hamid.mezi...@mydomain.tld,154.121.27.192): Password mismatch
     5  Mar 30 15:36:13 auth-worker(20288): Info: 
sql(hamid.mezi...@mydomain.tld,154.121.27.192): Password mismatch
     6  Mar 30 15:36:16 auth-worker(20288): Info: 
sql(hamid.mezi...@mydomain.tld,154.121.27.192): Password mismatch
     7  Mar 30 15:36:21 auth-worker(20288): Info: 
sql(hamid.mezi...@mydomain.tld,154.121.27.192): Password mismatch
     8  Mar 30 15:36:22 auth-worker(20288): Info: 
sql(hamid.mezi...@mydomain.tld,154.121.27.192): Password mismatch
     9  Mar 30 15:36:23 auth-worker(20288): Info: 
sql(hamid.mezi...@mydomain.tld,154.121.27.192): Password mismatch
    10  Mar 30 15:36:24 auth-worker(20288): Info: 
sql(hamid.mezi...@mydomain.tld,154.121.27.192): Password mismatch
    11  Mar 30 15:36:27 auth-worker(20288): Info: 
sql(hamid.mezi...@mydomain.tld,154.121.27.192): Password mismatch
    12  Mar 30 15:36:29 auth-worker(20288): Info: 
sql(hamid.mezi...@mydomain.tld,154.121.27.192): Password mismatch
    13  Mar 30 15:36:31 auth-worker(20288): Info: 
sql(hamid.mezi...@mydomain.tld,154.121.27.192): Password mismatch
    14  Mar 30 15:36:33 auth-worker(20288): Info: 
sql(hamid.mezi...@mydomain.tld,154.121.27.192): Password mismatch
    15  Mar 30 15:36:35 auth-worker(20288): Info: 
sql(hamid.mezi...@mydomain.tld,154.121.27.192): Password mismatch
    16  Mar 30 15:36:35 auth-worker(20288): Info: 
sql(hamid.mezi...@mydomain.tld,154.121.27.192): Password mismatch
    17  Mar 30 15:36:37 auth-worker(20288): Info: 
sql(hamid.mezi...@mydomain.tld,154.121.27.192): Password mismatch
    18  Mar 30 15:36:37 auth-worker(55659): Info: 
sql(hamid.mezi...@mydomain.tld,154.121.27.192): Password mismatch
    19  Mar 30 15:36:40 auth-worker(20288): Info: 
sql(hamid.mezi...@mydomain.tld,154.121.27.192): Password mismatch
    20  Mar 30 15:36:42 auth-worker(20288): Info: 
sql(hamid.mezi...@mydomain.tld,154.121.27.192): Password mismatch
root@messagerie-principale[10.10.10.19] ~ #


[2] Ban
3 seconds after 20th attempt
root@messagerie-principale[10.10.10.19] ~ # grep 154.121.27.192 
/var/log/fail2ban.log
2022-03-30 15:36:45,184 fail2ban.actions[12430]: WARNING [dovecot-long] 
Ban 154.121.27.192
root@messagerie-principale[10.10.10.19] ~ #


[3] Jail config
10 retries in a day

root@messagerie-principale[10.10.10.19] ~ # fail2ban-client get 
dovecot-long maxretry
10
root@messagerie-principale[10.10.10.19] ~ # fail2ban-client get 
dovecot-long findtime
86400
root@messagerie-principale[10.10.10.19] ~ #



_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users