I'm trying to set up fail2ban with dovecot, I have it working on
'old'
server Centos 6, but, not getting anywhere with 'new' server on Centos 7
using standard filters
I've copied same 'filter' to new server, still get nothing
any idea how to figure this out ?
on old server, it logs to syslog/messages
CentOS release 6.10 (Final) dovecot 2.3.10.1 (a3d0e1171)
old # fail2ban-client status dovecot
Status for the jail: dovecot
|- Filter
| |- Currently failed: 2
| |- Total failed: 168
| `- File list: /var/log/dovecot.log
`- Actions
|- Currently banned: 0
|- Total banned: 32
`- Banned IP list:
on new server CentOS Linux release 7.8.2003 dovecot 2.3.10.1 (a3d0e1171)
nothing shows up in fail2ban log (ssh, postfix does, only no dovecot)
I've copied the actual /etc/fail2ban/filter.d/dovecot.conf from old
server, still nothing
not sure where/how to look
is there a standard/approved doveot filter..?
cat jail.local
...
[dovecot]
enabled = true
filter = dovecot
logpath = /var/log/dovecot.log
maxretry = 3
ignoreip = 127.0.0.1 127.0.0.0/8
...
# fail2ban-client status dovecot
Status for the jail: dovecot
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- Journal matches: _SYSTEMD_UNIT=dovecot.service
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
# grep 'auth failed' /var/log/dovecot.log | wc
7669 149916 1558909
# cat dovecot.conf
# Fail2Ban filter Dovecot authentication and pop3/imap server
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = (auth|dovecot(-auth)?|auth-worker)
failregex
^%(__prefix_line)s(?:%(__pam_auth)s(?:\(dovecot:auth\))?:)?\s+authentication
failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S*
rhost=<HOST>(?:\s+user=\S*)?\s*$
^%(__prefix_line)s(?:pop3|imap)-login: (?:Info: )?(?:Aborted
login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+
attempts( in \d+ secs)?|tried to use (disabled|disallowed) \S+
auth)\):( user=<[^>]+>,)?( method=\S+,)? rip=<HOST>(?:,
lip=\S+)?(?:, TLS(?: handshaking(?:: SSL_accept\(\) failed:
error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown
protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$
^%(__prefix_line)s(?:Info|dovecot:
auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\):
pam_authenticate\(\) failed: (User not known to the underlying
authentication module: \d+ Time\(s\)|Authentication failure
\(password mismatch\?\))\s*$
^%(__prefix_line)s(?:auth|auth-worker\(\d+\)):
(?:pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$
^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): Info:
ldap\(\S*,<HOST>,\S*\): invalid credentials\s*$
ignoreregex
[Init]
journalmatch = _SYSTEMD_UNIT=dovecot.service
# DEV Notes:
# * the first regex is essentially a copy of pam-generic.conf
# * Probably doesn't do dovecot sql/ldap backends properly (resolved in
edit 21/03/2016)
# * Removed the 'no auth attempts' log lines from the matches because
produces
# lots of false positives on misconfigured MTAs making regexp unusable
#
# Author: Martin Waschbuesch
# Daniel Black (rewrote with begin and end anchors)
# Martin O'Neal (added LDAP authentication failure regex)
# Sergey G. Brester aka sebres (reviewed, optimized,
IPv6-compatibility)