I've recently setup dovecot with fail2ban on AlmaLinux 9. I'm using the
included dovecot filter:
##### BEGIN DOVECOT FILTER #####
[INCLUDES]
before = common.conf
[Definition]
_daemon = (?:dovecot(?:-auth)?|auth)
_auth_worker = (?:dovecot: )?auth(?:-worker)?
_auth_worker_info = (?:conn \w+:auth(?:-worker)? \([^\)]+\):
auth(?:-worker)?<\d+>: )?
_bypass_reject_reason = (?:: (?:\w+\([^\):]*\) \w+|[^\(]+))*
prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?:
)?(?:%(__pam_auth)s(?:\(dovecot:auth\))?:
|(?:pop3|imap|managesieve|submission)-login: )?(?:Info:
)?%(_auth_worker_info)s<F-CONTENT>.+</F-CONTENT>$
failregex = ^authentication failure; logname=<F-ALT_USER1>\S*</F-ALT_USER1>
uid=\S* euid=\S* tty=dovecot ruser=<F-USER>\S*</F-USER>
rhost=<HOST>(?:\s+user=<F-ALT_USER>\S*</F-ALT_USER>)?\s*$
^(?:Aborted login|Disconnected|Remote closed connection|Client has
quit the connection)%(_bypass_reject_reason)s \((?:auth failed, \d+ attempts(?:
in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth
failed)\):(?: user=<<F-USER>[^>]*</F-USER>>,)?(?: method=\S+,)?
rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
^pam\(\S+,<HOST>(?:,\S*)?\): pam_authenticate\(\) failed: (?:User
not known to the underlying authentication module: \d+ Time\(s\)|Authentication
failure \([Pp]assword mismatch\?\)|Permission denied)\s*$
^[a-z\-]{3,15}\(\S*,<HOST>(?:,\S*)?\): (?:[Uu]nknown
user|[Ii]nvalid credentials|[Pp]assword mismatch)
<mdre-<mode>>
mdre-aggressive = ^(?:Aborted login|Disconnected|Remote closed
connection|Client has quit the connection)%(_bypass_reject_reason)s \((?:no
auth attempts|disconnected before auth was ready,|client didn't finish \S+
auth,)(?: (?:in|waited) \d+ secs)?\):(?: user=<[^>]*>,)?(?: method=\S+,)?
rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
mdre-normal =
# Parameter `mode` - `normal` or `aggressive`.
# Aggressive mode can be used to match log-entries like:
# 'no auth attempts', 'disconnected before auth was ready', 'client didn't
finish SASL auth'.
# Note it may produce lots of false positives on misconfigured MTAs.
# Ex.:
# filter = dovecot[mode=aggressive]
mode = normal
ignoreregex =
journalmatch = _SYSTEMD_UNIT=dovecot.service
datepattern = {^LN-BEG}TAI64N
{^LN-BEG}
##### END DOVECOT FILTER #####
My log lines look like this:
Apr 3 16:57:16 mail01 dovecot[338717]: pop3-login: Disconnected: Connection
closed (auth failed, 7 attempts in 40 secs): user=<bork>, method=PLAIN,
rip=192.0.2.10, lip=192.0.2.100, session=<jzMhp+IxIPvY6wcD>
The problem I'm having is this:
1) dovecot only logs authentication failures *after* the connection is closed
2) dovecot doesn't seem to have a way to limit number of auth attempts per
connection (although it does have a way to slow them down)
3) fail2ban only seems to count the above line as *1* failure, instead of 7.
Is there any to have fail2ban count the multiple failure attempts in a single
line of log as multiple attempts, instead of just counting the number of
"failed" lines? The problem is a user can just sit on one connection, and
attempt to authenticate over and over, and they will never be banned. I know
fail2ban can't help with all of that, but at some point when the user
disconnects we could at least ban them then if fail2ban could count failures
within a line.
Is there another common approach that I'm missing here? It seems to me that in
this specific scenario, fail2ban is not as useful as it could be.
Cheers,
Gary T. Giesen
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
