I use SSHGuard on well ssh (doh!), but supposedly you can use it for postfix and dovecot also. I can tell you it is well supported. I am on Centos 7 using firewalld. ? Original Message ? From: adi at ddns.com.au Sent: May 21, 2020 11:01 PM To: voytek at sbt.net.au Cc: dovecot at dovecot.org Subject: Re: fail2ban setup centos 7 not picking auth fail? On 22-05-2020 15:45, Voytek Eymont wrote:> On Fri, May 22, 2020 2:05 pm, Adi Pircalabu wrote: >> On 22-05-2020 10:38, Voytek Eymont wrote: > >> >> Hardly a Dovecot issue. Can you please post the output of this >> command? >> /usr/bin/fail2ban-regex /var/log/dovecot.log >> /etc/fail2ban/filter.d/dovecot.conf > > > Adi, > > thanks, what I get is: >[...]> > Results > ======> > Failregex: 5149 total[...]> > Lines: 338975 lines, 0 ignored, 5149 matched, 333826 missed > [processed in 87.44 sec]Right, so it's not a regex problem then, you're getting some matches there, although you might want to revisit it it the result is not consistent with your own searches. It might be that Dovecot isn't logging to systemd' journal, or the regex doesn't match the journal entries. Try to comment out "journalmatch _SYSTEMD_UNIT=dovecot.service" entry in your filter file, restart f2b and see if there's any change. P.S. Let's try and keep the replies to the list :) -- Adi Pircalabu
On Thu, 21 May 2020 23:22:04 -0700, lists stated:>I use SSHGuard on well ssh (doh!), but supposedly you can use it for >postfix and dovecot also. I can tell you it is well supported. I am >on Centos 7 using firewalld.SSHGuard works fairly well with Postfix; however, it is virtually useless with Dovecot. It never picks up on "auth fail" and a few others. I have submitted documentation and requests to SSHGuard, but they have never acted upon them, other than to say that they will look into it. -- Jerry -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: <https://dovecot.org/pipermail/dovecot/attachments/20200522/d298a261/attachment.sig>
I leave well enough alone, but rev 2 got a new parser to allow more user control. The documentation may be old. However? the dovecot trigger does look for auth failed. dovecot default imap-login: Aborted login (auth failed, 6 attempts): XYZ rip=6.6.6.0, lip=127.0.0.1 I run a personal email server and have the luxury of geographically limiting access to all mail ports other than 25. (I use 587). So I get few attempts at logins. Then again I can't access my email in 99% of the world in addition from hosting companies and cloud servers. ? Original Message ? From: jerry at seibercom.net Sent: May 22, 2020 3:38 AM To: dovecot at dovecot.org Reply-to: dovecot at dovecot.org Subject: Re: fail2ban setup centos 7 not picking auth fail? On Thu, 21 May 2020 23:22:04 -0700, lists stated:>I use SSHGuard on well ssh (doh!), but supposedly you can use it for >postfix and dovecot also. I can tell you it is well supported.? I am >on Centos 7 using firewalld.SSHGuard works fairly well with Postfix; however, it is virtually useless with Dovecot. It never picks up on "auth fail" and a few others. I have submitted documentation and requests to SSHGuard, but they have never acted upon them, other than to say that they will look into it. -- Jerry
On Fri, 22 May 2020, Jerry wrote:> On Thu, 21 May 2020 23:22:04 -0700, lists stated: >> I use SSHGuard on well ssh (doh!), but supposedly you can use it for >> postfix and dovecot also. I can tell you it is well supported. I am >> on Centos 7 using firewalld. > > SSHGuard works fairly well with Postfix; however, it is virtually > useless with Dovecot. It never picks up on "auth fail" and a few > others. I have submitted documentation and requests to SSHGuard, but > they have never acted upon them, other than to say that they will look > into it.That's the beauty of open source -- if you got time and skillz, you can roll up your sleeves and do it yourself. I peeked at the source, and it requires some Lex/Yacc coding. Even if you don't have those codng skills, you can probably make a good guess by looking at the .l/.y files. The authors can make it a lot easier to extend if they externalize the patterns into runtime configuration like fail2ban does, rather than baking them into executables. Joseph Tam <jtam.home at gmail.com>
Just to add another alternative while we're discussing the subject, I've got a soft spot for CSF as a replacement for fail2ban, and it has a lot of additional features as well. https://www.configserver.com/cp/csf.html P. On 22/05/2020 18.32, Jerry wrote:> On Thu, 21 May 2020 23:22:04 -0700, lists stated: >> I use SSHGuard on well ssh (doh!), but supposedly you can use it for >> postfix and dovecot also. I can tell you it is well supported. I am >> on Centos 7 using firewalld. > > SSHGuard works fairly well with Postfix; however, it is virtually > useless with Dovecot. It never picks up on "auth fail" and a few > others. I have submitted documentation and requests to SSHGuard, but > they have never acted upon them, other than to say that they will look > into it. >-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: OpenPGP digital signature URL: <https://dovecot.org/pipermail/dovecot/attachments/20200523/bdc4f622/attachment.sig>