From: Ralph P. <ral...@gm...> - 2015-02-22 18:21:58
|
Hi, first of all: thank you very much to all developers and contributors for providing fail2ban! I have successfully set up fail2ban. Over all only the failregex for roundcube-auth needed some adjustment which is clear as I do not use the roundcube package from the Ubuntu repository and the dovecot jail gave me a hard time. OOTB the dovecot jail was not working at all. The auth attempts get logged in /var/log/mail.log and look like this: Feb 11 09:21:42 hardliner dovecot: imap-login: Disconnected (auth failed, 2 attempts in 16 secs): user=<ichangedthisone>, method=PLAIN, rip=109.41.230.17, lip=11.22.333.444, TLS, session=<x0WPsMsOrwBtKeYR> >From the failregex that were installed with the Ubuntu fail2ban package none worked. When I test these with fail2ban-regex, the above log line is missed. Problem 1: I developed the following failregex which is hit, when I test it with fail2ban-regex, but when I test login to dovecot with this failregex in place (Thunderbird with wrong IMAP-password), the status for the dovecot jail stays at 0 failures. ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>, lip=(\d{1,3}\.){3}\d{1,3}(, TLS( handshaking)?(: Disconnected)?)?\s*(, session=<\w+>)?$ In the dovecot wiki they suggest another failregex, which gets hit when I test it with fail2ban-regex and works with Thunderbird login attempts. (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.* http://wiki2.dovecot.org/HowTo/Fail2Ban But to get the dovevot jail working, problem 2 has to be surrounded as well: Problem 2: As shown in the dovecot wiki the ports are configured differently. The default configuration of the dovecot jail looks like this: [dovecot] enabled = true port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s filter = dovecot logpath = /var/log/mail.log But even with the above failregex the dovecot jail needs “imap, imaps” as port to work, “imap2,imap3,imaps” is not working. So finally I got a working configuration with port = imap,imaps and the failregex (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.* I would have opened an issue on fail2ban@github and provided a patch but so far I do not understand, why problem 1 occurs. How can a failregex be hit by fail2ban-regex but not work with the server? Any ideas on this? Kind regards, Ralph |