Re: [Fail2ban-users] dovecot jail bans K9 Mail client
Oh, maybe it was all those auth failed messages On July 12, 2018 10:30:47 AM CEST, Sophie Loewenthal wrote: >Hi Nick, > >Here you go. domain name/users have been obfuscated. > > >Running tests >= > >Use failregex filter file : dovecot, basedir: /etc/fail2ban >Use log file : /var/log/mail.log.1 >Use encoding : UTF-8 > > >Results >=== > >Failregex: 11 total >|- #) [# of hits] regular expression >| 4) [11] dovecot:.+auth failed.+rip= >`- > >Ignoreregex: 0 total > >Date template hits: >|- [# of hits] date format >| [6128] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: >Year)? >`- > >Lines: 6128 lines, 0 ignored, 11 matched, 6117 missed >[processed in 0.78 sec] > >|- Matched line(s): >| Jul 11 20:16:48 mx10 dovecot: imap-login: Disconnected (auth failed, >2 attempts in 8 secs): us...@example.co.uk>, method=PLAIN, >rip=94.109.31.39, lip=172.31.1.100, TLS, TLSv1.2 with cipher >ECDHE-RSA-AES256-SHA (256/256 bits) >| Jul 11 20:16:52 mx10 dovecot: imap-login: Disconnected (auth failed, >2 attempts in 12 secs): us...@example.co.uk>, method=PLAIN, >rip=94.109.31.39, lip=172.31.1.100, TLS, TLSv1.2 with cipher >ECDHE-RSA-AES256-SHA (256/256 bits) >| Jul 11 20:16:52 mx10 dovecot: imap-login: Disconnected (auth failed, >2 attempts in 12 secs): us...@example.co.uk>, method=PLAIN, >rip=94.109.31.39, lip=172.31.1.100, TLS, TLSv1.2 with cipher >ECDHE-RSA-AES256-SHA (256/256 bits) >| Jul 11 20:16:52 mx10 dovecot: imap-login: Disconnected (auth failed, >2 attempts in 12 secs): us...@example.co.uk>, method=PLAIN, >rip=94.109.31.39, lip=172.31.1.100, TLS, TLSv1.2 with cipher >ECDHE-RSA-AES256-SHA (256/256 bits) >| Jul 11 20:16:52 mx10 dovecot: imap-login: Disconnected (auth failed, >2 attempts in 12 secs): us...@example.co.uk>, method=PLAIN, >rip=94.109.31.39, lip=172.31.1.100, TLS, TLSv1.2 with cipher >ECDHE-RSA-AES256-SHA (256/256 bits) >| Jul 11 20:16:52 mx10 dovecot: imap-login: Disconnected (auth failed, >2 attempts in 12 secs): us...@example.co.uk>, method=PLAIN, >rip=94.109.31.39, lip=172.31.1.100, TLS, TLSv1.2 with cipher >ECDHE-RSA-AES256-SHA (256/256 bits) >| Jul 11 20:19:26 mx10 dovecot: imap-login: Disconnected (auth failed, >1 attempts in 2 secs): us...@example.co.uk>, method=PLAIN, >rip=127.0.0.1, lip=127.0.0.1, secured >| Jul 11 20:19:57 mx10 dovecot: imap-login: Disconnected (auth failed, >1 attempts in 2 secs): us...@example.co.uk>, method=PLAIN, >rip=127.0.0.1, lip=127.0.0.1, secured >| Jul 11 20:23:21 mx10 dovecot: imap-login: Disconnected (auth failed, >1 attempts in 2 secs): us...@example.co.uk>, method=PLAIN, >rip=127.0.0.1, lip=127.0.0.1, secured >| Jul 11 20:33:53 mx10 dovecot: imap-login: Disconnected (auth failed, >1 attempts in 2 secs): us...@example.co.uk>, method=PLAIN, >rip=127.0.0.1, lip=127.0.0.1, secured >| Jul 12 00:47:33 mx10 dovecot: imap-login: Disconnected (auth failed, >1 attempts in 3 secs): ju...@example.co.uk>, method=PLAIN, >rip=61.231.17.69, lip=172.31.1.100, TLS: Disconnected, TLSv1 with >cipher ECDHE-RSA-AES256-SHA (256/256 bits) >`- >Missed line(s): too many to print. Use --print-all-missed to print all >6117 lines > > > >> On 12 Jul 2018, at 09:50, Nick Howitt wrote: >> >> Sorry. should have replied to list. >> >> Add --print-all-matched to the fail2ban-regex command >> >> On 12/07/2018 07:59, Sophie Loewenthal wrote: >>> >>> Morning, >>> >>> A new K9 Mail client gets banned all the time and I am trying to >work out why. >>> I have this regex: >>> failregex = >auth:.+dovecot:auth.+authentication\s+failure;.+rhost= >>> dovecot:.+rip=.+wrong version number >>> dovecot:.+tried to use disallowed plaintext >auth.+rip= >>> dovecot:.+auth failed.+rip= >>> dovecot:.+no auth attemps.+rip= >>> The mail.log has lines like these. The last line spams the log >several times a second. >>> Jul 11 06:03:12 mx10 dovecot: imap-login: Login: us...@example.org>, >method=PLAIN, rip=94.109.25.57, lip=172.31.1.100, mpid=17126, TLS, >TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits) >>> Jul 11 06:23:07 mx10 dovecot: imap(us...@example.co.uk): Connection >closed (IDLE running for 0.001 + waiting input for 688.172 secs, 2 B in >+ 10+0 B out, state=wait-input) in=179 out=1726 >>> user2 >>> So I tested the regex and had 11 hits - Unsure how to show those >matched lines. >>> # fail2ban-regex /var/log/mail.log.1 `pwd`/filter.d/dovecot.conf -r >>> >>> Running tests >>> = >>> >>> Use failregex filter file : dovecot, basedir: /etc/fail2ban >>> Use log file : /var/log/mail.log.1 >>> Use encoding : UTF-8 >>> >>> >>> Results >>> === >>> >>> Failregex: 11 total >>> |- #) [# of hits] regular expression >>> | 4) [11] dovecot:.+auth failed.+rip= >>> `- >>> >>> Ignoreregex: 0 total >>> >>> Date template hits: >>> |- [# of hits] date format >>> | [6128] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: >Year)? >>> `- >>> >>> Lines: 6128 lines, 0 ignored, 11 matc
Re: [Fail2ban-users] dovecot jail bans K9 Mail client
Hi Nick, Here you go. domain name/users have been obfuscated. Running tests = Use failregex filter file : dovecot, basedir: /etc/fail2ban Use log file : /var/log/mail.log.1 Use encoding : UTF-8 Results === Failregex: 11 total |- #) [# of hits] regular expression | 4) [11] dovecot:.+auth failed.+rip= `- Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [6128] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)? `- Lines: 6128 lines, 0 ignored, 11 matched, 6117 missed [processed in 0.78 sec] |- Matched line(s): | Jul 11 20:16:48 mx10 dovecot: imap-login: Disconnected (auth failed, 2 attempts in 8 secs): us...@example.co.uk>, method=PLAIN, rip=94.109.31.39, lip=172.31.1.100, TLS, TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits) | Jul 11 20:16:52 mx10 dovecot: imap-login: Disconnected (auth failed, 2 attempts in 12 secs): us...@example.co.uk>, method=PLAIN, rip=94.109.31.39, lip=172.31.1.100, TLS, TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits) | Jul 11 20:16:52 mx10 dovecot: imap-login: Disconnected (auth failed, 2 attempts in 12 secs): us...@example.co.uk>, method=PLAIN, rip=94.109.31.39, lip=172.31.1.100, TLS, TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits) | Jul 11 20:16:52 mx10 dovecot: imap-login: Disconnected (auth failed, 2 attempts in 12 secs): us...@example.co.uk>, method=PLAIN, rip=94.109.31.39, lip=172.31.1.100, TLS, TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits) | Jul 11 20:16:52 mx10 dovecot: imap-login: Disconnected (auth failed, 2 attempts in 12 secs): us...@example.co.uk>, method=PLAIN, rip=94.109.31.39, lip=172.31.1.100, TLS, TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits) | Jul 11 20:16:52 mx10 dovecot: imap-login: Disconnected (auth failed, 2 attempts in 12 secs): us...@example.co.uk>, method=PLAIN, rip=94.109.31.39, lip=172.31.1.100, TLS, TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits) | Jul 11 20:19:26 mx10 dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): us...@example.co.uk>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured | Jul 11 20:19:57 mx10 dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): us...@example.co.uk>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured | Jul 11 20:23:21 mx10 dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): us...@example.co.uk>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured | Jul 11 20:33:53 mx10 dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): us...@example.co.uk>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured | Jul 12 00:47:33 mx10 dovecot: imap-login: Disconnected (auth failed, 1 attempts in 3 secs): ju...@example.co.uk>, method=PLAIN, rip=61.231.17.69, lip=172.31.1.100, TLS: Disconnected, TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits) `- Missed line(s): too many to print. Use --print-all-missed to print all 6117 lines > On 12 Jul 2018, at 09:50, Nick Howitt wrote: > > Sorry. should have replied to list. > > Add --print-all-matched to the fail2ban-regex command > > On 12/07/2018 07:59, Sophie Loewenthal wrote: >> >> Morning, >> >> A new K9 Mail client gets banned all the time and I am trying to work out >> why. >> I have this regex: >> failregex = auth:.+dovecot:auth.+authentication\s+failure;.+rhost= >> dovecot:.+rip=.+wrong version number >> dovecot:.+tried to use disallowed plaintext auth.+rip= >> dovecot:.+auth failed.+rip= >> dovecot:.+no auth attemps.+rip= >> The mail.log has lines like these. The last line spams the log several times >> a second. >> Jul 11 06:03:12 mx10 dovecot: imap-login: Login: us...@example.org>, >> method=PLAIN, rip=94.109.25.57, lip=172.31.1.100, mpid=17126, TLS, TLSv1.2 >> with cipher ECDHE-RSA-AES256-SHA (256/256 bits) >> Jul 11 06:23:07 mx10 dovecot: imap(us...@example.co.uk): Connection closed >> (IDLE running for 0.001 + waiting input for 688.172 secs, 2 B in + 10+0 B >> out, state=wait-input) in=179 out=1726 >> user2 >> So I tested the regex and had 11 hits - Unsure how to show those matched >> lines. >> # fail2ban-regex /var/log/mail.log.1 `pwd`/filter.d/dovecot.conf -r >> >> Running tests >> = >> >> Use failregex filter file : dovecot, basedir: /etc/fail2ban >> Use log file : /var/log/mail.log.1 >> Use encoding : UTF-8 >> >> >> Results >> === >> >> Failregex: 11 total >> |- #) [# of hits] regular expression >> | 4) [11] dovecot:.+auth failed.+rip= >> `- >> >> Ignoreregex: 0 total >> >> Date template hits: >> |- [# of hits] date format >> | [6128] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)? >> `- >> >> Lines: 6128 lines, 0 ignored, 11 matched, 6117 missed >> [processed in 0.77 sec] >> >> Missed line(s): too many to print. Use --print-all-missed to print all 6117 >> lines >> For the timebeing I have set the IPs in the ignoreip regex. >
Re: [Fail2ban-users] dovecot jail bans K9 Mail client
Sorry. should have replied to list. Add --print-all-matched to the fail2ban-regex command On 12/07/2018 07:59, Sophie Loewenthal wrote: Morning, A new K9 Mail client gets banned all the time and I am trying to work out why. I have this regex: failregex = auth:.+dovecot:auth.+authentication\s+failure;.+rhost= dovecot:.+rip=.+wrong version number dovecot:.+tried to use disallowed plaintext auth.+rip= dovecot:.+auth failed.+rip= dovecot:.+no auth attemps.+rip= The mail.log has lines like these. The last line spams the log several times a second. Jul 11 06:03:12 mx10 dovecot: imap-login: Login: us...@example.org>, method=PLAIN, rip=94.109.25.57, lip=172.31.1.100, mpid=17126, TLS, TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits) Jul 11 06:23:07 mx10 dovecot: imap(us...@example.co.uk): Connection closed (IDLE running for 0.001 + waiting input for 688.172 secs, 2 B in + 10+0 B out, state=wait-input) in=179 out=1726 user2 So I tested the regex and had 11 hits - Unsure how to show those matched lines. # fail2ban-regex /var/log/mail.log.1 `pwd`/filter.d/dovecot.conf -r Running tests = Use failregex filter file : dovecot, basedir: /etc/fail2ban Use log file : /var/log/mail.log.1 Use encoding : UTF-8 Results === Failregex: 11 total |- #) [# of hits] regular expression | 4) [11] dovecot:.+auth failed.+rip= `- Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [6128] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)? `- Lines: 6128 lines, 0 ignored, 11 matched, 6117 missed [processed in 0.77 sec] Missed line(s): too many to print. Use --print-all-missed to print all 6117 lines For the timebeing I have set the IPs in the ignoreip regex. I've not seen the dovecot message "Connection closed (IDLE running for 0.001 + waiting input for" before. I don't know what it means, but the logs sometimes get spammed by it from K9 Mail. Has anyone seen this afore? Best, Sophie -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
