HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=16)
-   -   ISPConfit 2 fail2ban problem with dovecot (http://www.howtoforge.com/forums/showthread.php?t=56890)

andron26 12th April 2012 19:43

ISPConfit 2 fail2ban problem with dovecot
 
Hi,

I've installed latest ISPConfig 2 on fedora 15 with perfect setup.
In ISPC I've turned off firewall.

Trying to configure fail2ban to block failed logins to dovecot server.

dovecot.conf in filter.d folder:

[Definition]
failregex = (?: pop3-login|imap_login ): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(auth failed|Disconnected).*rip=(<HOST>),.*
ignoreregex =

dovecot part in jail.conf

[dovecot-pop3imap]
enabled = true
filter = dovecot
action = iptables-multiport[name=dovecot-pop3imap, port="110,143,995,993,25,465,587"]
logpath = /var/log/maillog
maxretry = 5
findtime = 600
bantime = 3600

Ssh failed attempts are blocked, but dovecot not.
I've stucked. What could be wrong?
If I run fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/dovecot.conf:
Running tests
=============

Use regex file : /etc/fail2ban/filter.d/dovecot.conf
Use log file : /var/log/maillog


Results
=======

Failregex
|- Regular expressions:
| [1] (?: pop3-login|imap_login ): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(auth failed|Disconnected).*rip=(<HOST>),.*
|
`- Number of matches:
[1] 22528 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Addresses found:
[1]
173.192.142.34 (Sun Apr 08 06:58:42 2012)
173.192.142.34 (Sun Apr 08 06:58:42 2012)
173.192.142.34 (Sun Apr 08 06:58:42 2012)
173.192.142.34 (Sun Apr 08 06:58:47 2012)
173.192.142.34 (Sun Apr 08 06:58:47 2012)
173.192.142.34 (Sun Apr 08 06:58:47 2012)
173.192.142.34 (Sun Apr 08 06:58:52 2012)
210.26.5.2 (Thu Apr 12 18:27:40 2012)
210.26.5.2 (Thu Apr 12 18:27:52 2012)
210.26.5.2 (Thu Apr 12 18:27:52 2012)
210.26.5.2 (Thu Apr 12 18:30:40 2012)
210.26.5.2 (Thu Apr 12 18:30:52 2012)
210.26.5.2 (Thu Apr 12 18:30:52 2012)

Date template hits:
63317 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s): <Month/Day/Year@Hour:Minute:Second>

Success, the total number of match is 22528

However, look at the above section 'Running tests' which could contain important
information.

falko 13th April 2012 16:38

Did you restart fail2ban?

What's in /var/log/maillog when there's a failed Dovecot login attempt?

andron26 14th April 2012 18:05

Yes, I've restarted fail2ban.
SSH rule works and proftpd too.
Log:


Apr 8 07:11:17 fed dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<gopher>, method=PLAIN, rip=173.192.142.34, lip=x.x.x..83
Apr 8 07:11:21 fed dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<root>, method=PLAIN, rip=173.192.142.34, lip=x.x.x..82
Apr 8 07:11:21 fed dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<root>, method=PLAIN, rip=173.192.142.34, lip=x.x.x..81
Apr 8 07:11:21 fed dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<root>, method=PLAIN, rip=173.192.142.34, lip=x.x.x..83
Apr 8 07:11:25 fed dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<root>, method=PLAIN, rip=173.192.142.34, lip=x.x.x..81
Apr 8 07:11:25 fed dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<root>, method=PLAIN, rip=173.192.142.34, lip=x.x.x..82
Apr 8 07:11:25 fed dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<root>, method=PLAIN, rip=173.192.142.34, lip=x.x.x..83
Apr 8 07:11:29 fed dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<root>, method=PLAIN, rip=173.192.142.34, lip=x.x.x..81
Apr 8 07:11:29 fed dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<root>, method=PLAIN, rip=173.192.142.34, lip=x.x.x..82
Apr 8 07:11:29 fed dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<root>, method=PLAIN, rip=173.192.142.34, lip=x.x.x..83
Apr 8 07:11:33 fed dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<root>, method=PLAIN, rip=173.192.142.34, lip=x.x.x..83
Apr 8 07:11:33 fed dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<root>, method=PLAIN, rip=173.192.142.34, lip=x.x.x..81


All times are GMT +2. The time now is 03:34.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.