On Fri, May 22, 2020 2:05 pm, Adi Pircalabu wrote:> On 22-05-2020 10:38, Voytek Eymont wrote:> > Hardly a Dovecot issue. Can you please post the output of this command? > /usr/bin/fail2ban-regex /var/log/dovecot.log > /etc/fail2ban/filter.d/dovecot.confAdi, thanks, what I get is: # /usr/bin/fail2ban-regex /var/log/dovecot.log /etc/fail2ban/filter.d/dovecot.conf Running tests ============ Use failregex filter file : dovecot, basedir: /etc/fail2ban Use datepattern : Default Detectors Use log file : /var/log/dovecot.log Use encoding : UTF-8 Results ====== Failregex: 5149 total |- #) [# of hits] regular expression | 2) [5149] ^(?:\[\])?\s*(?:<[^.]+\.[^.]+>\s+)?(?:\S+\s+)?(?:kernel:\s?\[ *\d+\.\d+\]:?\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?\S*(?:\(\S+\))?[\]\)]?:?|[\[\(]?\S*(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID \d+ \S+\]\s+)?(?:pop3|imap)-login: (?:Info: )?(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<[^>]+>,)?( method=\S+,)? rip=<HOST>(?:, lip=\S+)?(?:, TLS(?: handshaking(?:: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$ `- Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [338975] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)? `- Lines: 338975 lines, 0 ignored, 5149 matched, 333826 missed [processed in 87.44 sec] Missed line(s): too many to print. Use --print-all-missed to print all 333826 lines
On 22-05-2020 15:45, Voytek Eymont wrote:> On Fri, May 22, 2020 2:05 pm, Adi Pircalabu wrote: >> On 22-05-2020 10:38, Voytek Eymont wrote: > >> >> Hardly a Dovecot issue. Can you please post the output of this >> command? >> /usr/bin/fail2ban-regex /var/log/dovecot.log >> /etc/fail2ban/filter.d/dovecot.conf > > > Adi, > > thanks, what I get is: >[...]> > Results > ======> > Failregex: 5149 total[...]> > Lines: 338975 lines, 0 ignored, 5149 matched, 333826 missed > [processed in 87.44 sec]Right, so it's not a regex problem then, you're getting some matches there, although you might want to revisit it it the result is not consistent with your own searches. It might be that Dovecot isn't logging to systemd' journal, or the regex doesn't match the journal entries. Try to comment out "journalmatch = _SYSTEMD_UNIT=dovecot.service" entry in your filter file, restart f2b and see if there's any change. P.S. Let's try and keep the replies to the list :) -- Adi Pircalabu
I use SSHGuard on well ssh (doh!), but supposedly you can use it for postfix and dovecot also. I can tell you it is well supported. I am on Centos 7 using firewalld. ? Original Message ? From: adi at ddns.com.au Sent: May 21, 2020 11:01 PM To: voytek at sbt.net.au Cc: dovecot at dovecot.org Subject: Re: fail2ban setup centos 7 not picking auth fail? On 22-05-2020 15:45, Voytek Eymont wrote:> On Fri, May 22, 2020 2:05 pm, Adi Pircalabu wrote: >> On 22-05-2020 10:38, Voytek Eymont wrote: > >> >> Hardly a Dovecot issue. Can you please post the output of this >> command? >> /usr/bin/fail2ban-regex /var/log/dovecot.log >> /etc/fail2ban/filter.d/dovecot.conf > > > Adi, > > thanks, what I get is: >[...]> > Results > ======> > Failregex: 5149 total[...]> > Lines: 338975 lines, 0 ignored, 5149 matched, 333826 missed > [processed in 87.44 sec]Right, so it's not a regex problem then, you're getting some matches there, although you might want to revisit it it the result is not consistent with your own searches. It might be that Dovecot isn't logging to systemd' journal, or the regex doesn't match the journal entries. Try to comment out "journalmatch _SYSTEMD_UNIT=dovecot.service" entry in your filter file, restart f2b and see if there's any change. P.S. Let's try and keep the replies to the list :) -- Adi Pircalabu
On Fri, May 22, 2020 4:01 pm, Adi Pircalabu wrote:>> Results >> ======>> >> >> Failregex: 5149 total >> > [...] > >> >> Lines: 338975 lines, 0 ignored, 5149 matched, 333826 missed >> [processed in 87.44 sec] >> > > Right, so it's not a regex problem then, you're getting some matches > there, although you might want to revisit it it the result is not > consistent with your own searches. It might be that Dovecot isn't logging > to systemd' journal, or the regex doesn't match the journal entries. Try > to comment out "journalmatch = _SYSTEMD_UNIT=dovecot.service" entry in > your filter file, restart f2b and see if there's any change. P.S. Let's try > and keep the replies to the list :)Adi, this is what I got, lot faster as well Running tests ============ Use failregex filter file : dovecot, basedir: /etc/fail2ban Use datepattern : Default Detectors Use log file : /var/log/dovecot.log Use encoding : UTF-8 Results ====== Failregex: 5177 total |- #) [# of hits] regular expression | 2) [5177] ^(?:\[\])?\s*(?:<[^.]+\.[^.]+>\s+)?(?:\S+\s+)?(?:kernel:\s?\[ *\d+\.\d+\]:?\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?\S*(?:\(\S+\))?[\]\)]?:?|[\[\(]?\S*(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID \d+ \S+\]\s+)?(?:pop3|imap)-login: (?:Info: )?(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<[^>]+>,)?( method=\S+,)? rip=<HOST>(?:, lip=\S+)?(?:, TLS(?: handshaking(?:: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$ `- Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [343387] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)? `- Lines: 343387 lines, 0 ignored, 5177 matched, 338210 missed [processed in 85.97 sec] Missed line(s): too many to print. Use --print-all-missed to print all 338210 lines