On 6/16/23 10:53, pe...@netsecpt.pt wrote:
Hi , i am having an issue with dovecot , in log files of imap inactivity lines have the
word included "auth failed" , witch is not true , what happens next is that
fail2ban is looking for that word too in log file of dovecot ,and when it finds it it
bans my public ip address .
Is there any change to change this behavior in dovecot , what i mean is to insert
"auth failed" when in fact it is an authentication failed , and not use it as
general for every thing in log file .
Interesting. It does look like maybe dovecot is reporting "auth failed"
on inactivity even if the auth actually succeeded. I am on Dovecot
2.3.20 from the dovecot APT repo for Ubuntu.
I don't see this for my mail account, because my mail clients are never
inactive for 3 minutes. But I do see it for another account on my mail
server. I will need to ask that user if it is possible they are
actually sending an incorrect password, but I think that is unlikely.
The log entries are not frequent and it looks like there are only ever
two such failures close enough together for fail2ban to notice, so the
source address is not being banned because my fail2ban config requires
five failures within 20 minutes before it takes action.
What is the findtime and maxretry in your fail2ban jail config for
dovecot? Maybe the time span is too large or the retry value too low.
I think you should have fail2ban ignore your public IP which would solve
the problem for your IP address. Below is the contents of
/etc/fail2ban/jail.d/zz-custom.conf on my mail server. I have not
changed any of the conf files in /etc/fail2ban itself, I have only added
a config file to jail.d.
The public /24 ranges in the ignoreip setting are in there for qualys
labs SSL tests. Without them, their test IP address gets banned because
their tests generate a ton of failures in the haproxy log. Also
included is the AWS private IP address of the mail server, and the AWS
public IP address.
elyograg@bilbo:/etc/fail2ban/jail.d$ cat zz-custom.conf
[INCLUDES]
before = common.conf
[DEFAULT]
maxretry = 5
bantime = 8h
findtime = 20m
ignoreself = true
ignoreip = 127.0.0.1/8 ::1 192.168.217.0/24 REDACTED1 172.31.8.104
REDACTED2 REDACTED3 64.41.200.0/24 54.67.1.252 64.77.246.0/24
banaction = %(banaction_allports)s
protocol = all
[sshd]
enabled = true
port = 0:65535
[dovecot]
enabled = true
port = 0:65535
[sieve]
enabled = true
port = 0:65535
[postfix]
enabled = true
findtime = 30m
bantime = 8h
port = 0:65535
[postfix-rbl]
enabled = true
findtime = 30m
bantime = 8h
port = 0:65535
[postfix-sasl]
enabled = true
findtime = 30m
bantime = 8h
port = 0:65535
[haproxy-http-auth]
enabled = true
logpath = /var/log/debug-haproxy
port = 0:65535
[haproxy-custom]
enabled = true
findtime = 30m
logpath = /var/log/debug-haproxy
maxretry = 10
port = 0:65535
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
