Dear Noel, thanks for your reply. So why is this a problem to fix it for dovecot?
Please don't get me wrong: I do not want to criticise that there is neither a fail2ban wiki entry that says: if you use virtual users with dovecot, the provided regex will fail -> use your own nor a fix. Are the different logging formats of dovecot too complex to reflect them in a couple of failregex? Kind regards, Ralph 2015-02-23 2:15 GMT+01:00 Noel Butler <[email protected]>: > This has been brought up many times before, with dovecot, the logging format > changes depending on what your setup is doing, especially using virtual > users with a database > > The default has always been useless here as well :) > > > > On 23/02/2015 04:21, Ralph Plawetzki wrote: > > Hi, > > first of all: thank you very much to all developers and contributors > for providing fail2ban! > > I have successfully set up fail2ban. Over all only the failregex for > roundcube-auth needed some adjustment which is clear as I do not use > the roundcube package from the Ubuntu repository and the dovecot jail > gave me a hard time. > > OOTB the dovecot jail was not working at all. > The auth attempts get logged in /var/log/mail.log and look like this: > > Feb 11 09:21:42 hardliner dovecot: imap-login: Disconnected (auth > failed, 2 attempts in 16 secs): user=<ichangedthisone>, method=PLAIN, > rip=109.41.230.17, lip=11.22.333.444, TLS, session=<x0WPsMsOrwBtKeYR> > > >From the failregex that were installed with the Ubuntu fail2ban > package none worked. > When I test these with fail2ban-regex, the above log line is missed. > > Problem 1: > I developed the following failregex which is hit, when I test it with > fail2ban-regex, but when I test login to dovecot with this failregex > in place (Thunderbird with wrong IMAP-password), the status for the > dovecot jail stays at 0 failures. > > ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted > login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, > \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ > auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>, > lip=(\d{1,3}\.){3}\d{1,3}(, TLS( handshaking)?(: Disconnected)?)?\s*(, > session=<\w+>)?$ > > In the dovecot wiki they suggest another failregex, which gets hit > when I test it with fail2ban-regex and works with Thunderbird login > attempts. > (?: pop3-login|imap-login): (?:Authentication failure|Aborted login > \(auth failed|Aborted login \(tried to use disabled|Disconnected > \(auth failed).*rip=(?P<host>\S*),.* > http://wiki2.dovecot.org/HowTo/Fail2Ban > > But to get the dovevot jail working, problem 2 has to be surrounded as well: > > Problem 2: > As shown in the dovecot wiki the ports are configured differently. > The default configuration of the dovecot jail looks like this: > [dovecot] > > enabled = true > port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s > filter = dovecot > logpath = /var/log/mail.log > > But even with the above failregex the dovecot jail needs "imap, imaps" > as port to work, "imap2,imap3,imaps" is not working. > > So finally I got a working configuration with port = imap,imaps and > the failregex (?: pop3-login|imap-login): (?:Authentication > failure|Aborted login \(auth failed|Aborted login \(tried to use > disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.* > > I would have opened an issue on fail2ban@github > and provided a patch > but so far I do not understand, why problem 1 occurs. How can a > failregex be hit by fail2ban-regex but not work with the server? > > Any ideas on this? > > Kind regards, > Ralph > > ------------------------------------------------------------------------------ > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server > from Actuate! Instantly Supercharge Your Business Reports and Dashboards > with Interactivity, Sharing, Native Excel Exports, App Integration & more > Get technology previously reserved for billion-dollar corporations, FREE > http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk > _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > > > ------------------------------------------------------------------------------ > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server > from Actuate! Instantly Supercharge Your Business Reports and Dashboards > with Interactivity, Sharing, Native Excel Exports, App Integration & more > Get technology previously reserved for billion-dollar corporations, FREE > http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk > _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > ------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
