dovecot - Dec 2017 - ot: fail2ban dovecot setup

I'm trying to setup and test fail2ban with dovecot

I've installed fail2ban, I've copied config from
https://wiki2.dovecot.org/HowTo/Fail2Ban, and, trying to test it,

attempted multiple mail access with wrong password, but, get this:

# fail2ban-client status dovecot-pop3imap
Status for the jail: dovecot-pop3imap
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /var/log/dovecot.log
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

# grep 'auth fail' /var/log/dovecot.log | grep voytek at k | wc
     19     367    3749

and

Dec 17 09:55:03 imap-login: Info: Disconnected (auth failed, 2 attempts in
5 secs): user=<voytek at k..au>, method=PLAIN, rip=110.175.246.167,
lip=163.47.110.7, TLS, session=<bQ6mAX1gHcRur/an>
Dec 17 09:55:12 imap-login: Info: Disconnected (auth failed, 2 attempts in
4 secs): user=<voytek at k..au>, method=PLAIN, rip=110.175.246.167,
lip=163.47.110.7, TLS, session=<Osk5An1gAKVur/an>
Dec 17 09:55:20 imap-login: Info: Disconnected (auth failed, 2 attempts in
4 secs): user=<voytek at k..au>, method=PLAIN, rip=110.175.246.167,
lip=163.47.110.7, TLS, session=<xsq/An1gDN1ur/an>
Dec 17 09:55:27 imap-login: Info: Disconnected (auth failed, 2 attempts in
4 secs): user=<voytek at k..au>, method=PLAIN, rip=110.175.246.167,
lip=163.47.110.7, TLS, session=<RVUkA31gm4xur/an>


# cat dovecot-pop3imap.conf
[Definition]
failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted
login \(auth failed|Aborted login \(tried to use disabled|Disconnected
\(auth failed).*rip=(?P<host>\S*),.*
ignoreregex 

# systemctl status  fail2ban
? fail2ban.service - Fail2Ban Service
   Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled;
vendor preset: disabled)
   Active: active (running) since Sat 2017-12-16 22:35:14 AEDT; 12h ago
     Docs: man:fail2ban(1)
  Process: 2034 ExecStop=/usr/bin/fail2ban-client stop (code=exited,
status=0/SUCCESS)
  Process: 6024 ExecReload=/usr/bin/fail2ban-client reload (code=exited,
status=0/SUCCESS)
  Process: 2036 ExecStart=/usr/bin/fail2ban-client -x start (code=exited,
status=0/SUCCESS)
 Main PID: 2039 (fail2ban-server)
   CGroup: /system.slice/fail2ban.service
           ??2039 /usr/bin/python2 -s /usr/bin/fail2ban-server -s
/var/run/fail2ban/fail2ban.sock -p /var/ru...

Dec 16 22:35:14  systemd[1]: Starting Fail2Ban Service...
Dec 16 22:35:14  fail2ban-client[2036]: 2017-12-16 22:35:14,657
fail2ban.server         [2...9.7
Dec 16 22:35:14  fail2ban-client[2036]: 2017-12-16 22:35:14,657
fail2ban.server         [2...ode
Dec 16 22:35:14  systemd[1]: Started Fail2Ban Service.
Dec 17 09:21:51  systemd[1]: Reloaded Fail2Ban Service.
Dec 17 09:22:52  systemd[1]: Reloaded Fail2Ban Service.
Dec 17 09:31:40  systemd[1]: Reloaded Fail2Ban Service.
Hint: Some lines were ellipsized, use -l to show in full.

Am 17.12.2017 um 00:56 schrieb voytek at sbt.net.au:
> I'm trying to setup and test fail2ban with dovecot
> 
> I've installed fail2ban, I've copied config from
> https://wiki2.dovecot.org/HowTo/Fail2Ban, and, trying to test it,
> 
> attempted multiple mail access with wrong password, but, get this:
> 
> # fail2ban-client status dovecot-pop3imap
> Status for the jail: dovecot-pop3imap
> |- Filter
> |  |- Currently failed: 0
> |  |- Total failed:     0
> |  `- File list:        /var/log/dovecot.log
> `- Actions
>     |- Currently banned: 0
>     |- Total banned:     0
>     `- Banned IP list:
> 
> # grep 'auth fail' /var/log/dovecot.log | grep voytek at k | wc
>       19     367    3749
> 
> and
> 
> Dec 17 09:55:03 imap-login: Info: Disconnected (auth failed, 2 attempts in
> 5 secs): user=<voytek at k..au>, method=PLAIN, rip=110.175.246.167,
> lip=163.47.110.7, TLS, session=<bQ6mAX1gHcRur/an>
> Dec 17 09:55:12 imap-login: Info: Disconnected (auth failed, 2 attempts in
> 4 secs): user=<voytek at k..au>, method=PLAIN, rip=110.175.246.167,
> lip=163.47.110.7, TLS, session=<Osk5An1gAKVur/an>
> Dec 17 09:55:20 imap-login: Info: Disconnected (auth failed, 2 attempts in
> 4 secs): user=<voytek at k..au>, method=PLAIN, rip=110.175.246.167,
> lip=163.47.110.7, TLS, session=<xsq/An1gDN1ur/an>
> Dec 17 09:55:27 imap-login: Info: Disconnected (auth failed, 2 attempts in
> 4 secs): user=<voytek at k..au>, method=PLAIN, rip=110.175.246.167,
> lip=163.47.110.7, TLS, session=<RVUkA31gm4xur/an>
> 
> 
> # cat dovecot-pop3imap.conf
> [Definition]
> failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted
> login \(auth failed|Aborted login \(tried to use disabled|Disconnected
> \(auth failed).*rip=(?P<host>\S*),.*
> ignoreregex > 
> 
> # systemctl status  fail2ban
> ? fail2ban.service - Fail2Ban Service
>     Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled;
> vendor preset: disabled)
>     Active: active (running) since Sat 2017-12-16 22:35:14 AEDT; 12h ago
>       Docs: man:fail2ban(1)
>    Process: 2034 ExecStop=/usr/bin/fail2ban-client stop (code=exited,
> status=0/SUCCESS)
>    Process: 6024 ExecReload=/usr/bin/fail2ban-client reload (code=exited,
> status=0/SUCCESS)
>    Process: 2036 ExecStart=/usr/bin/fail2ban-client -x start (code=exited,
> status=0/SUCCESS)
>   Main PID: 2039 (fail2ban-server)
>     CGroup: /system.slice/fail2ban.service
>             ??2039 /usr/bin/python2 -s /usr/bin/fail2ban-server -s
> /var/run/fail2ban/fail2ban.sock -p /var/ru...
> 
> Dec 16 22:35:14  systemd[1]: Starting Fail2Ban Service...
> Dec 16 22:35:14  fail2ban-client[2036]: 2017-12-16 22:35:14,657
> fail2ban.server         [2...9.7
> Dec 16 22:35:14  fail2ban-client[2036]: 2017-12-16 22:35:14,657
> fail2ban.server         [2...ode
> Dec 16 22:35:14  systemd[1]: Started Fail2Ban Service.
> Dec 17 09:21:51  systemd[1]: Reloaded Fail2Ban Service.
> Dec 17 09:22:52  systemd[1]: Reloaded Fail2Ban Service.
> Dec 17 09:31:40  systemd[1]: Reloaded Fail2Ban Service.
> Hint: Some lines were ellipsized, use -l to show in full.
Did you enable the dovecot service in fail2ban? By default all jails are 
disabled.

/etc/fail2ban/jail.conf:
   [dovecot]
   enabled = true

-- 
Alex JOST

On Mon, December 18, 2017 3:06 am, Alex JOST wrote:
> Did you enable the dovecot service in fail2ban? By default all jails are
> disabled.
>
> /etc/fail2ban/jail.conf:
> [dovecot]
> enabled = true

Alex, thanks

no, not in jail.conf, I've put it in the
(1)
/etc/fail2ban/jail.local

I've also added postfix, that seems to work:

I've made test failed dovecot and postfix from phone/cell connection, I
think? postfix one worked, but, nothing registered on dovecot
do you know where f2b places bad IPs ? I saw them listed on 'status;, but,
couldn't find them in /etc/hosts.deny, not sure if they meant to be there.
[and, the device, after failing smtp, could still access http, so not sure
if my testing is valid]


# fail2ban-client status
Status
|- Number of jail:      2
`- Jail list:   dovecot-pop3imap, postfx-sasl

# fail2ban-client status  postfx-sasl
Status for the jail: postfx-sasl
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     57
|  `- File list:        /var/log/maillog
`- Actions
   |- Currently banned: 1
   |- Total banned:     7
   `- Banned IP list:   201.249.46.118

# fail2ban-client status dovecot-pop3imap
Status for the jail: dovecot-pop3imap
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /var/log/dovecot.log
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:


(1)
# cat jail.local
[dovecot-pop3imap]
enabled    = true
filter     = dovecot-pop3imap
action     = iptables-multiport[name=dovecot-pop3imap,
port="pop3,imap",
protocol=tcp]
logpath    = /var/log/dovecot.log
maxretry   = 5
findtime   = 300
bantime    = 3600
ignoreip   = 127.0.0.1 127.0.0.0/8

[postfx-sasl]
enabled     = true
filter      = postfix-sasl
action      = iptables-multiport[name=postfix,
port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve",
protocol=tcp]
#           sendmail[name=Postfix, dest=you at mail.com]
logpath     = /var/log/maillog
bantime     = 3600
maxretry    = 5
ignoreip    = 127.0.0.1 127.0.0.0/8

Copy dovecot-pop3imap.conf to dovecot-pop3imap.local.? Edit
dovecot-pop3imap.local and add to the failregex:
dovecot:.+auth failed.+rip=<HOST>

Then run:
fail2ban-regex /var/log/dovecot.log
/etc/fail2ban/filter.d/dovecot-pop3imap.local
and see if you get any matches.

Bill

On 12/16/2017 6:56 PM, voytek at sbt.net.au wrote:
> I'm trying to setup and test fail2ban with dovecot
>
> I've installed fail2ban, I've copied config from
> https://wiki2.dovecot.org/HowTo/Fail2Ban, and, trying to test it,
>
> attempted multiple mail access with wrong password, but, get this:
>
> # fail2ban-client status dovecot-pop3imap
> Status for the jail: dovecot-pop3imap
> |- Filter
> |  |- Currently failed: 0
> |  |- Total failed:     0
> |  `- File list:        /var/log/dovecot.log
> `- Actions
>     |- Currently banned: 0
>     |- Total banned:     0
>     `- Banned IP list:
>
> # grep 'auth fail' /var/log/dovecot.log | grep voytek at k | wc
>       19     367    3749
>
> and
>
> Dec 17 09:55:03 imap-login: Info: Disconnected (auth failed, 2 attempts in
> 5 secs): user=<voytek at k..au>, method=PLAIN, rip=110.175.246.167,
> lip=163.47.110.7, TLS, session=<bQ6mAX1gHcRur/an>
> Dec 17 09:55:12 imap-login: Info: Disconnected (auth failed, 2 attempts in
> 4 secs): user=<voytek at k..au>, method=PLAIN, rip=110.175.246.167,
> lip=163.47.110.7, TLS, session=<Osk5An1gAKVur/an>
> Dec 17 09:55:20 imap-login: Info: Disconnected (auth failed, 2 attempts in
> 4 secs): user=<voytek at k..au>, method=PLAIN, rip=110.175.246.167,
> lip=163.47.110.7, TLS, session=<xsq/An1gDN1ur/an>
> Dec 17 09:55:27 imap-login: Info: Disconnected (auth failed, 2 attempts in
> 4 secs): user=<voytek at k..au>, method=PLAIN, rip=110.175.246.167,
> lip=163.47.110.7, TLS, session=<RVUkA31gm4xur/an>
>
>
> # cat dovecot-pop3imap.conf
> [Definition]
> failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted
> login \(auth failed|Aborted login \(tried to use disabled|Disconnected
> \(auth failed).*rip=(?P<host>\S*),.*
> ignoreregex >
>
> # systemctl status  fail2ban
> ? fail2ban.service - Fail2Ban Service
>     Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled;
> vendor preset: disabled)
>     Active: active (running) since Sat 2017-12-16 22:35:14 AEDT; 12h ago
>       Docs: man:fail2ban(1)
>    Process: 2034 ExecStop=/usr/bin/fail2ban-client stop (code=exited,
> status=0/SUCCESS)
>    Process: 6024 ExecReload=/usr/bin/fail2ban-client reload (code=exited,
> status=0/SUCCESS)
>    Process: 2036 ExecStart=/usr/bin/fail2ban-client -x start (code=exited,
> status=0/SUCCESS)
>   Main PID: 2039 (fail2ban-server)
>     CGroup: /system.slice/fail2ban.service
>             ??2039 /usr/bin/python2 -s /usr/bin/fail2ban-server -s
> /var/run/fail2ban/fail2ban.sock -p /var/ru...
>
> Dec 16 22:35:14  systemd[1]: Starting Fail2Ban Service...
> Dec 16 22:35:14  fail2ban-client[2036]: 2017-12-16 22:35:14,657
> fail2ban.server         [2...9.7
> Dec 16 22:35:14  fail2ban-client[2036]: 2017-12-16 22:35:14,657
> fail2ban.server         [2...ode
> Dec 16 22:35:14  systemd[1]: Started Fail2Ban Service.
> Dec 17 09:21:51  systemd[1]: Reloaded Fail2Ban Service.
> Dec 17 09:22:52  systemd[1]: Reloaded Fail2Ban Service.
> Dec 17 09:31:40  systemd[1]: Reloaded Fail2Ban Service.
> Hint: Some lines were ellipsized, use -l to show in full.
>
>

Have you tried just using the the filter dovecot.conf come with the 
fail2ban?

# cat /etc/fail2ban/filter.d/dovecot.conf

......
failregex = 
^%(__prefix_line)s(?:%(__pam_auth)s(?:\(dovecot:auth\))?:)?\s+authentication 
failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* 
rhost=<HOST>(?:\s+user=\S*)?\s*$
             ^%(__prefix_line)s(?:pop3|imap)-login: (?:Info: )?(?:Aborted 
login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts( 
in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( us$
             ^%(__prefix_line)s(?:Info|dovecot: 
auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\): 
pam_authenticate\(\) failed: (User not known to the underlying 
authentication module: \d+ Time\(s\)|Authen$
             ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): 
(?:pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$
             ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): Info: 
ldap\(\S*,<HOST>,\S*\): invalid credentials\s*$
......

Gao

On 2017-12-16 15:56, voytek at sbt.net.au wrote:
> I'm trying to setup and test fail2ban with dovecot
> 
> I've installed fail2ban, I've copied config from
> https://wiki2.dovecot.org/HowTo/Fail2Ban, and, trying to test it,
> 
> attempted multiple mail access with wrong password, but, get this:
> 
> # fail2ban-client status dovecot-pop3imap
> Status for the jail: dovecot-pop3imap
> |- Filter
> |  |- Currently failed: 0
> |  |- Total failed:     0
> |  `- File list:        /var/log/dovecot.log
> `- Actions
>    |- Currently banned: 0
>    |- Total banned:     0
>    `- Banned IP list:
> 
> # grep 'auth fail' /var/log/dovecot.log | grep voytek at k | wc
>      19     367    3749
> 
> and
> 
> Dec 17 09:55:03 imap-login: Info: Disconnected (auth failed, 2 attempts 
> in
> 5 secs): user=<voytek at k..au>, method=PLAIN, rip=110.175.246.167,
> lip=163.47.110.7, TLS, session=<bQ6mAX1gHcRur/an>
> Dec 17 09:55:12 imap-login: Info: Disconnected (auth failed, 2 attempts 
> in
> 4 secs): user=<voytek at k..au>, method=PLAIN, rip=110.175.246.167,
> lip=163.47.110.7, TLS, session=<Osk5An1gAKVur/an>
> Dec 17 09:55:20 imap-login: Info: Disconnected (auth failed, 2 attempts 
> in
> 4 secs): user=<voytek at k..au>, method=PLAIN, rip=110.175.246.167,
> lip=163.47.110.7, TLS, session=<xsq/An1gDN1ur/an>
> Dec 17 09:55:27 imap-login: Info: Disconnected (auth failed, 2 attempts 
> in
> 4 secs): user=<voytek at k..au>, method=PLAIN, rip=110.175.246.167,
> lip=163.47.110.7, TLS, session=<RVUkA31gm4xur/an>
> 
> 
> # cat dovecot-pop3imap.conf
> [Definition]
> failregex = (?: pop3-login|imap-login): (?:Authentication 
> failure|Aborted
> login \(auth failed|Aborted login \(tried to use disabled|Disconnected
> \(auth failed).*rip=(?P<host>\S*),.*
> ignoreregex > 
> 
> # systemctl status  fail2ban
> ? fail2ban.service - Fail2Ban Service
>    Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled;
> vendor preset: disabled)
>    Active: active (running) since Sat 2017-12-16 22:35:14 AEDT; 12h ago
>      Docs: man:fail2ban(1)
>   Process: 2034 ExecStop=/usr/bin/fail2ban-client stop (code=exited,
> status=0/SUCCESS)
>   Process: 6024 ExecReload=/usr/bin/fail2ban-client reload 
> (code=exited,
> status=0/SUCCESS)
>   Process: 2036 ExecStart=/usr/bin/fail2ban-client -x start 
> (code=exited,
> status=0/SUCCESS)
>  Main PID: 2039 (fail2ban-server)
>    CGroup: /system.slice/fail2ban.service
>            ??2039 /usr/bin/python2 -s /usr/bin/fail2ban-server -s
> /var/run/fail2ban/fail2ban.sock -p /var/ru...
> 
> Dec 16 22:35:14  systemd[1]: Starting Fail2Ban Service...
> Dec 16 22:35:14  fail2ban-client[2036]: 2017-12-16 22:35:14,657
> fail2ban.server         [2...9.7
> Dec 16 22:35:14  fail2ban-client[2036]: 2017-12-16 22:35:14,657
> fail2ban.server         [2...ode
> Dec 16 22:35:14  systemd[1]: Started Fail2Ban Service.
> Dec 17 09:21:51  systemd[1]: Reloaded Fail2Ban Service.
> Dec 17 09:22:52  systemd[1]: Reloaded Fail2Ban Service.
> Dec 17 09:31:40  systemd[1]: Reloaded Fail2Ban Service.
> Hint: Some lines were ellipsized, use -l to show in full.

On Mon, December 18, 2017 9:40 am, Bill Shirley wrote:
> Copy dovecot-pop3imap.conf to dovecot-pop3imap.local.? Edit
> dovecot-pop3imap.local and add to the failregex: dovecot:.+auth
> failed.+rip=<HOST>
>
> Then run:
> fail2ban-regex /var/log/dovecot.log
> /etc/fail2ban/filter.d/dovecot-pop3imap.local
> and see if you get any matches.
Bill, thanks for trying to help, sorry for dumb question

shouldn't '.local' be in /etc/fail2ban/ rather than
/etc/fail2ban/filter.d/ ?

I've copied it to /etc/fail2ban/, as that's where my other .local is ??

and, not sure where to add, tried 3 different places, including at the
end, but, getting:

in /etc/fail2ban/
(before addition)
# cat dovecot-pop3imap.local
[Definition]
failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted
login \(auth failed|Aborted login \(tried to use disabled|Disconnected
\(auth failed).*rip=(?P<host>\S*),.*
ignoreregex 
# cat dovecot-pop3imap.local
[Definition]
failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted
login \(auth failed|Aborted login \(tried to use disabled|Disconnected
\(auth failed).*rip=(?P<host>\S*),.*,dovecot:.+auth
failed.+rip=<HOST>
ignoreregex 
# fail2ban-regex /var/log/dovecot.log /etc/fail2ban/dovecot-pop3imap.local

Running tests
============
Use   failregex file : /etc/fail2ban/dovecot-pop3imap.local
Traceback (most recent call last):
  File "/bin/fail2ban-regex", line 34, in <module>
    exec_command_line()
  File
"/usr/lib/python2.7/site-packages/fail2ban/client/fail2banregex.py",
line 598, in exec_command_line
    if not fail2banRegex.start(opts, args):
  File
"/usr/lib/python2.7/site-packages/fail2ban/client/fail2banregex.py",
line 501, in start
    if not self.readRegex(cmd_regex, 'fail'):
  File
"/usr/lib/python2.7/site-packages/fail2ban/client/fail2banregex.py",
line 322, in readRegex
    'add%sRegex' % regextype.title())(regex.getFailRegex())
  File "/usr/lib/python2.7/site-packages/fail2ban/server/filter.py",
line
113, in addFailRegex
    raise e
fail2ban.server.failregex.RegexException: Unable to compile regular
expression '(?: pop3-login|imap-login): (?:Authentication failure|Aborted
login \(auth failed|Aborted login \(tried to use disabled|Disconnected
\(auth failed).*rip=(?P<host>\S*),.*,dovecot:.+auth
failed.+rip=(?:::f{4,6}:)?(?P<host>[\w\-.^_]*\w)'

On Mon, December 18, 2017 12:50 pm, Gao wrote:
> Have you tried just using the the filter dovecot.conf come with the
> fail2ban?
>
> # cat /etc/fail2ban/filter.d/dovecot.conf
Gao, thanks

so do I just put enable in /etc/fail2ban/jail.local ?

# cat jail.local
[dovecot]
enabled    = true
filter     = dovecot

]# fail2ban-client status  dovecot
Status for the jail: dovecot
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- Journal matches:  _SYSTEMD_UNIT=dovecot.service
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:


(sorry, I'm structure what I had on old server, it seems to work with smtp
auth, so I thought that's correct way to do)

# fail2ban-client status
Status
|- Number of jail:      2
`- Jail list:   dovecot, postfx-sasl


 fail2ban-client status  postfx-sasl
Status for the jail: postfx-sasl
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /var/log/maillog
`- Actions
   |- Currently banned: 2
   |- Total banned:     2
   `- Banned IP list:   120.150.227.127 125.126.168.42

thanks for all the help, I went back to the old server's config, and, it
worked as is, so that will do for now:

# fail2ban-client status dovecot-iredmail
Status for the jail: dovecot-iredmail
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     5
|  `- File list:        /var/log/dovecot.log
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list:   1.144.106.60
#

Chain f2b-dovecot (1 references)
target     prot opt source               destination
REJECT     all  --  1.144.106.60         anywhere             reject-with
icmp-port-unreachable
RETURN     all  --  anywhere             anywhere