This has been brought up many times before, with dovecot, the logging
format changes depending on what your setup is doing, especially using
virtual users with a database
The default has always been useless here as well :)
On 23/02/2015 04:21, Ralph Plawetzki wrote:
> Hi,
>
> first of all: thank you very much to all developers and contributors
> for providing fail2ban!
>
> I have successfully set up fail2ban. Over all only the failregex for
> roundcube-auth needed some adjustment which is clear as I do not use
> the roundcube package from the Ubuntu repository and the dovecot jail
> gave me a hard time.
>
> OOTB the dovecot jail was not working at all.
> The auth attempts get logged in /var/log/mail.log and look like this:
>
> Feb 11 09:21:42 hardliner dovecot: imap-login: Disconnected (auth
> failed, 2 attempts in 16 secs): user=<ichangedthisone>, method=PLAIN,
> rip=109.41.230.17, lip=11.22.333.444, TLS, session=<x0WPsMsOrwBtKeYR>
>
> From the failregex that were installed with the Ubuntu fail2ban
> package none worked.
> When I test these with fail2ban-regex, the above log line is missed.
>
> Problem 1:
> I developed the following failregex which is hit, when I test it with
> fail2ban-regex, but when I test login to dovecot with this failregex
> in place (Thunderbird with wrong IMAP-password), the status for the
> dovecot jail stays at 0 failures.
>
> ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted
> login|Disconnected)(: Inactivity)? (((no auth attempts|auth failed,
> d+ attempts)( in d+ secs)?|tried to use (disabled|disallowed) S+
> auth)):( user=<S*>,)?( method=S+,)? rip=<HOST>,
> lip=(d{1,3}.){3}d{1,3}(, TLS( handshaking)?(: Disconnected)?)?s*(,
> session=<w+>)?$
>
> In the dovecot wiki they suggest another failregex, which gets hit
> when I test it with fail2ban-regex and works with Thunderbird login
> attempts.
> (?: pop3-login|imap-login): (?:Authentication failure|Aborted login
> (auth failed|Aborted login (tried to use disabled|Disconnected
> (auth failed).*rip=(?P<host>S*),.*
> http://wiki2.dovecot.org/HowTo/Fail2Ban [1]
>
> But to get the dovevot jail working, problem 2 has to be surrounded as well:
>
> Problem 2:
> As shown in the dovecot wiki the ports are configured differently.
> The default configuration of the dovecot jail looks like this:
> [dovecot]
>
> enabled = true
> port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
> filter = dovecot
> logpath = /var/log/mail.log
>
> But even with the above failregex the dovecot jail needs "imap, imaps"
> as port to work, "imap2,imap3,imaps" is not working.
>
> So finally I got a working configuration with port = imap,imaps and
> the failregex (?: pop3-login|imap-login): (?:Authentication
> failure|Aborted login (auth failed|Aborted login (tried to use
> disabled|Disconnected (auth failed).*rip=(?P<host>S*),.*
>
> I would have opened an issue on fail2ban@github and provided a patch
> but so far I do not understand, why problem 1 occurs. How can a
> failregex be hit by fail2ban-regex but not work with the server?
>
> Any ideas on this?
>
> Kind regards,
> Ralph
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
> [2]
> _______________________________________________
> Fail2ban-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users [3]
Links:
------
[1] http://wiki2.dovecot.org/HowTo/Fail2Ban
[2]
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
[3] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
