CentOS - Apr 2019 - faI2ban detecting and banning but nothing happens

On Friday 19 April 2019 15:19:26 Pete Biggs wrote:
> > I've added a fail regex to /etc/fail2ban/filter.d/exim.conf as
suggested
> > on another page:
>
> The standard exim.conf already has a 535 filter. Was that not working
> for you?
I was following the instructions as shown on the page.  I did find after 
sending my post that there was already a regex in the standard file, so 
should be able to remove the one I added. However, the regex part doesn't 
seem to be the problem as the actions are being correctly triggered.
> >        \[<HOST>\]: 535 Incorrect authentication data
> >
> > which appears to be successfully matchnig lines in
/var/log/exim/mail.log
> > such as
> >
> > 2019-04-19 13:06:10 dovecot_plain authenticator failed for
> > ([185.222.209.71]) [185.222.209.71]: 535 Incorrect authentication data
>
> Just to check - you are authenticating against dovecot for SMTP within
> exim (and it's not that dovecot authentication is getting mixed up with
> the exim logs)?
This is correct.  I am using Dovecot to authenticate the SMTP users.  The 
errors are being logged in /var/log/exim/main.log and not 
in /var/log/dovecot.log or /var/log/maillog
>
> > /var/log/fail2ban.log, and the generarted emails all say that the
regex
> > is working and the IP addresses are getting banned.
> >
> > 2019-04-19 13:06:32,461 fail2ban.filter         [21954]: INFO   
> > [dovecot] Found 45.227.253.99
> > 2019-04-19 13:06:32,607 fail2ban.actions        [21954]: NOTICE 
> > [dovecot] Ban 45.227.253.99
> > 2019-04-19 13:06:32,954 fail2ban.filter         [21954]: INFO   
> > [dovecot] Found 45.227.253.99
> > 2019-04-19 13:06:36,664 fail2ban.filter         [21954]: INFO   
> > [dovecot] Found 185.222.209.71
> > 2019-04-19 13:07:16,973 fail2ban.actions        [21954]: NOTICE 
> > [dovecot] Unban 185.211.245.198
> > 2019-04-19 13:07:42,108 fail2ban.actions        [21954]: NOTICE 
> > [dovecot] Unban 185.234.217.221
> > 2019-04-19 13:08:06,475 fail2ban.filter         [21954]: INFO   
> > [dovecot] Found 141.98.80.32
> > 2019-04-19 13:08:11,299 fail2ban.filter         [21954]: INFO   
> > [dovecot] Found 185.234.217.162
> > 2019-04-19 13:08:12,249 fail2ban.actions        [21954]: NOTICE 
> > [dovecot] Ban 185.234.217.162
> > 2019-04-19 13:08:16,803 fail2ban.filter         [21954]: INFO   
> > [dovecot] Found 141.98.80.32
> > 2019-04-19 13:08:22,092 fail2ban.filter         [21954]: INFO   
> > [dovecot] Found 185.234.217.221
> > 2019-04-19 13:09:18,178 fail2ban.filter         [21954]: INFO   
> > [dovecot] Found 185.211.245.198
> > 2019-04-19 13:09:30,522 fail2ban.filter         [21954]: INFO   
> > [dovecot] Found 185.211.245.198
> > 2019-04-19 13:09:30,752 fail2ban.actions        [21954]: NOTICE 
> > [dovecot] Ban 185.211.245.198
> > 2019-04-19 13:10:48,248 fail2ban.filter         [21954]: INFO   
> > [dovecot] Found 185.211.245.198
>
> It would be much, much easier to read if you didn't wrap the log lines
> - I've unwrapped them for you:
(I didn't wrap them, my mail client did. Sorry)
>
> 2019-04-19 13:06:32,461 fail2ban.filter         [21954]: INFO    [dovecot]
> Found 45.227.253.99 2019-04-19 13:06:32,607 fail2ban.actions       
> [21954]: NOTICE  [dovecot] Ban 45.227.253.99 2019-04-19 13:06:32,954
> fail2ban.filter         [21954]: INFO    [dovecot] Found 45.227.253.99
> 2019-04-19 13:06:36,664 fail2ban.filter         [21954]: INFO    [dovecot]
> Found 185.222.209.71 2019-04-19 13:07:16,973 fail2ban.actions       
> [21954]: NOTICE  [dovecot] Unban 185.211.245.198 2019-04-19 13:07:42,108
> fail2ban.actions        [21954]: NOTICE  [dovecot] Unban 185.234.217.221
> 2019-04-19 13:08:06,475 fail2ban.filter         [21954]: INFO    [dovecot]
> Found 141.98.80.32 2019-04-19 13:08:11,299 fail2ban.filter         [21954]:
> INFO    [dovecot] Found 185.234.217.162 2019-04-19 13:08:12,249
> fail2ban.actions        [21954]: NOTICE  [dovecot] Ban 185.234.217.162
> 2019-04-19 13:08:16,803 fail2ban.filter         [21954]: INFO    [dovecot]
> Found 141.98.80.32 2019-04-19 13:08:22,092 fail2ban.filter         [21954]:
> INFO    [dovecot] Found 185.234.217.221 2019-04-19 13:09:18,178
> fail2ban.filter         [21954]: INFO    [dovecot] Found 185.211.245.198
> 2019-04-19 13:09:30,522 fail2ban.filter         [21954]: INFO    [dovecot]
> Found 185.211.245.198 2019-04-19 13:09:30,752 fail2ban.actions       
> [21954]: NOTICE  [dovecot] Ban 185.211.245.198 2019-04-19 13:10:48,248
> fail2ban.filter         [21954]: INFO    [dovecot] Found 185.211.245.198
>
> > However, once an IP address is banned, it continues to appear
> > in /var/log/exim/main.log which would imply that the ban action is not
> > working.
>
> Only for one more attempt - I presume your ban action is to modify the
> firewall, but the firewall doesn't stop established connections, so as
> long as the remote host has an open TCP connection it can continue to
> attempt to login. If your authenticator drops the connection after 3
> attempts and Fail2Ban blocks after 2 failed attempts you will see what
> you've got.
The event that triggers the ban does complete as normal, which is what I would 
expect as the ban is triggered by the log entry which is *after* the failed 
attempt.

However, after the /var/log/fail2ban.log showed the IP as banned, I continue 
to see entries in /var/log/exim/main.log
>
>
 > (Also, I don't understand why it's matching against dovecont ewhen
the
> > regex is in exim.conf)
>
> Because the log line says dovecot - the actual name of the .conf file
> is irrelevant and nowhere in the filter config files does it mention
> [exim] explicitly (or any other section). The section is determined
> from the log line using the filters.
I did wonder that, but had initially assumed that the it took it from the 
module / target.

> 
> The event that triggers the ban does complete as normal, which is what I
would
> expect as the ban is triggered by the log entry which is *after* the failed
> attempt.
> 
> However, after the /var/log/fail2ban.log showed the IP as banned, I
continue
> to see entries in /var/log/exim/main.log
What ban action do you use?  If it's something like iptables-multiport, 
then I wonder if the fact that it's detecting the failures as
'[dovecot]' means that it's using the dovecot ports, not the exim
ports, when applying the iptable rule.

When a host has been banned, can you look at the iptables rules to see
what is actually being applied.

P.

On Saturday 20 April 2019 00:32:43 Pete Biggs wrote:
> What ban action do you use?  If it's something like iptables-multiport,
> then I wonder if the fact that it's detecting the failures as
> '[dovecot]' means that it's using the dovecot ports, not the
exim
> ports, when applying the iptable rule.
> 
> When a host has been banned, can you look at the iptables rules to see
> what is actually being applied.
Hi Pete,

I did wonder that myself.  I have now amended to Dovecot definition in jail.conf
to:

[dovecot]

port    = pop3,pop3s,imap,imaps,submission,sieve,25,1025,465,587
logpath = %(dovecot_log)s
backend = %(dovecot_backend)s

I then unbanned and banned each IP address manually with 

for F in 46.232.112.21 106.226.231.159 [snip] 52.38.234.254 ; do
fail2ban-client set dovecot unbanip $F
fail2ban-client set dovecot banip $F
done

which worked. However, having done this, the connections are still getting
through to EXIM.

[root at ollie2 ~]# fail2ban-client status dovecot
Status for the jail: dovecot
|- Filter
|  |- Currently failed: 6
|  |- Total failed:     199
|  `- Journal matches:  _SYSTEMD_UNIT=dovecot.service
`- Actions
   |- Currently banned: 41
   |- Total banned:     82
   `- Banned IP list:   46.232.112.21 106.226.231.159 113.120.142.149
113.120.143.41 114.106.134.228 114.238.30.180 116.91.166.50 117.24.39.199
117.29.90.228 117.31.46.4 117.60.247.84 119.127.17.82 120.43.54.45
121.233.206.62 121.237.56.154 122.7.227.53 14.29.161.224 140.224.60.165
140.224.61.88 141.98.80.32 180.146.128.112 183.135.168.89 185.211.245.198
185.222.209.56 185.222.209.71 185.234.217.160 185.234.217.162 185.234.217.221
185.36.81.165 188.165.238.157 203.2.118.130 209.166.164.71 210.6.94.23
211.72.92.124 27.156.139.95 27.156.176.146 41.164.192.74 45.227.253.100
45.227.253.99 49.87.109.233 52.38.234.254
[root at ollie2 ~]# ipset list
Name: fail2ban-sshd
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536 timeout 3600000
Size in memory: 120
References: 0
Number of entries: 0
Members:

Name: fail2ban-dovecot
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536 timeout 3600000
Size in memory: 3768
References: 0
Number of entries: 41
Members:
185.211.245.198 timeout 4294522
[snip]
45.227.253.99 timeout 4294532
117.60.247.84 timeout 4294514

Name: fail2ban-exim
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536 timeout 3600000
Size in memory: 408
References: 0
Number of entries: 3
Members:
185.234.217.160 timeout 4294290
85.222.209.56 timeout 4294291
185.222.209.71 timeout 4294289
[root at ollie2 ~]#