On 5/1/23 08:27, Wayne Sallee via Fail2ban-users wrote:
-------- Original Message --------
*Subject: * [Fail2ban-users] Problems with dovecot filter
*From: * Jim Wright <j...@themailshack.com>
*To: * Fail2ban-users <fail2ban-users@lists.sourceforge.net>
*CC: *
*Date: * 2023-4-29 11:15 AM
I have version 0.11.2-1.el8 installed under Rocky Linux 8.7. Other
jails are working correctly, but I've found that the dovecot one
isn't working as expected. Troubleshooting with the below command
results in a number of matches for pop3-login and imap-login, but
none for auto-worker, which is where I'm having the problem:
That's why I created my own dovecot jail, and postfix jail.
As seen in the recent thread "fail2ban-regex maches, but fail2ban does
not"
From what I can see with the updated version, fail2ban version
1.0.2-3.el8, I'm getting matches now against auth-worker, so that part
is resolved.
But I'm still not having anything hit the jail, and from what I can
tell, I should be. One particular IP is coming up several times over
the last few days. And my jail is set to a findtime of 240 hours, so
this 'should' be getting jailed. I'm stumped on why this particular
jail isn't working still.
From jail.local:
[dovecot]
enabled = true
filter = dovecot
logpath = /var/log/dovecot.log
maxretry = 3
findtime = 240h
bantime = 10m
bantime.factor = 1
Regex test:
[wright@localhost dovecot] $ fail2ban-regex --print-all-matched
/var/log/dovecot.log /etc/fail2ban/filter.d/dovecot.conf | grep 124
| May 01 09:11:10 auth-worker(312509): Info: conn unix:auth-worker
(pid=312464,uid=97): auth-worker<3>:
sql(info,36.138.74.124,<UuySZKL6VIckikp8>): unknown user
| May 01 09:11:12 pop3-login: Info: Disconnected: Aborted login by
logging out (auth failed, 1 attempts in 10 secs): user=<info>,
method=PLAIN, rip=36.138.74.124, lip=192.168.1.20,
session=<UuySZKL6VIckikp8>
| May 01 20:15:30 auth-worker(325888): Info: conn unix:auth-worker
(pid=325886,uid=97): auth-worker<1>:
sql(nologin,36.138.74.124,<2X/orKv64rAkikp8>): unknown user
| May 01 20:15:32 pop3-login: Info: Disconnected: Aborted login by
logging out (auth failed, 1 attempts in 2 secs): user=<nologin>,
method=PLAIN, rip=36.138.74.124, lip=192.168.1.20,
session=<2X/orKv64rAkikp8>
| May 01 20:15:37 auth-worker(325888): Info: conn unix:auth-worker
(pid=325886,uid=97): auth-worker<2>:
sql(i...@wrightthisway.com,36.138.74.124,<7/oQrav6eLIkikp8>): unknown user
| May 01 20:15:39 pop3-login: Info: Disconnected: Aborted login by
logging out (auth failed, 1 attempts in 6 secs):
user=<i...@wrightthisway.com>, method=PLAIN, rip=36.138.74.124,
lip=192.168.1.20, session=<7/oQrav6eLIkikp8>
| May 01 20:15:48 auth-worker(325888): Info: conn unix:auth-worker
(pid=325886,uid=97): auth-worker<3>:
sql(info,36.138.74.124,<NFR/rav6Qrckikp8>): unknown user
| May 01 20:15:50 pop3-login: Info: Disconnected: Aborted login by
logging out (auth failed, 1 attempts in 10 secs): user=<info>,
method=PLAIN, rip=36.138.74.124, lip=192.168.1.20,
session=<NFR/rav6Qrckikp8>
| May 02 06:19:32 auth-worker(336799): Info: conn unix:auth-worker
(pid=336706,uid=97): auth-worker<1>:
sql(j...@wrightthisway.com,124.197.99.28): Password mismatch
| May 02 07:56:01 auth-worker(339062): Info: conn unix:auth-worker
(pid=339060,uid=97): auth-worker<1>:
sql(nologin,36.138.74.124,<59kidrX6HLUkikp8>): unknown user
| May 02 07:56:04 pop3-login: Info: Disconnected: Aborted login by
logging out (auth failed, 1 attempts in 3 secs): user=<nologin>,
method=PLAIN, rip=36.138.74.124, lip=192.168.1.20,
session=<59kidrX6HLUkikp8>
| May 02 07:56:11 auth-worker(339062): Info: conn unix:auth-worker
(pid=339060,uid=97): auth-worker<2>:
sql(i...@wrightthisway.com,36.138.74.124,<j9l6drX6lLckikp8>): unknown user
| May 02 07:56:13 pop3-login: Info: Disconnected: Aborted login by
logging out (auth failed, 1 attempts in 6 secs):
user=<i...@wrightthisway.com>, method=PLAIN, rip=36.138.74.124,
lip=192.168.1.20, session=<j9l6drX6lLckikp8>
| May 02 07:56:22 auth-worker(339062): Info: conn unix:auth-worker
(pid=339060,uid=97): auth-worker<3>:
sql(info,36.138.74.124,<++HrdrX6UL0kikp8>): unknown user
| May 02 07:56:24 pop3-login: Info: Disconnected: Aborted login by
logging out (auth failed, 1 attempts in 10 secs): user=<info>,
method=PLAIN, rip=36.138.74.124, lip=192.168.1.20,
session=<++HrdrX6UL0kikp8>
| May 02 18:46:02 auth-worker(354181): Info: conn unix:auth-worker
(pid=354144,uid=97): auth-worker<1>:
sql(nologin,36.138.74.124,<zdrDir76TJwkikp8>): unknown user
| May 02 18:46:04 pop3-login: Info: Disconnected: Aborted login by
logging out (auth failed, 1 attempts in 2 secs): user=<nologin>,
method=PLAIN, rip=36.138.74.124, lip=192.168.1.20,
session=<zdrDir76TJwkikp8>
| May 02 18:46:09 auth-worker(354181): Info: conn unix:auth-worker
(pid=354144,uid=97): auth-worker<2>:
sql(cont...@wrightthisway.com,36.138.74.124,<acj5ir764J4kikp8>): unknown
user
| May 02 18:46:11 pop3-login: Info: Disconnected: Aborted login by
logging out (auth failed, 1 attempts in 6 secs):
user=<cont...@wrightthisway.com>, method=PLAIN, rip=36.138.74.124,
lip=192.168.1.20, session=<acj5ir764J4kikp8>
| May 02 18:46:20 auth-worker(354181): Info: conn unix:auth-worker
(pid=354144,uid=97): auth-worker<3>:
sql(contact,36.138.74.124,<IUhfi776nKMkikp8>): unknown user
| May 02 18:46:22 pop3-login: Info: Disconnected: Aborted login by
logging out (auth failed, 1 attempts in 10 secs): user=<contact>,
method=PLAIN, rip=36.138.74.124, lip=192.168.1.20,
session=<IUhfi776nKMkikp8>
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
