HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials - Fail2Ban not banning on dovecot service

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)

- Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=27)

- - Fail2Ban not banning on dovecot service (http://www.howtoforge.com/forums/showthread.php?t=59663)

Fail2Ban not banning on dovecot service

New to fail2ban, and just trying to get my settings right

ISPConfig3
Ubuntu 12.04.1 LTS
completely up to date.

Had a long string of these, probably over 1000 of them in alphabetical order from mail.log:

Nov 21 14:01:24 mailserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<winston@domain.net>, method=PLAIN, rip=85.13.200.50, lip=10.0.0.22
Nov 21 14:01:41 mailserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<wolf@domain.net>, method=PLAIN, rip=85.13.200.50, lip=10.0.0.22
Nov 21 14:01:58 mailserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<wolfgang@domain.net>, method=PLAIN, rip=85.13.200.50, lip=10.0.0.22
Nov 21 14:02:15 mailserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<woody@domain.net>, method=PLAIN, rip=85.13.200.50, lip=10.0.0.22

from /etc/fail2ban/filter.d/dovecot.conf:

Original, which was commented out
#failregex = .*(?:pop3-login|imap-login):.*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*

Modified:
failregex = (?: pop3-login|imap-login): .*(?:Disconnected|Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*

from /etc/fail2ban/jail.conf:

[dovecot]

enabled = true
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = dovecot
logpath = /var/log/mail.log
maxretry = 5
findtime = 3600
bantime = 1200

Still having this problem, would like to revisit it briefly, just to see if anyone else is having similar issue.

Running fail2ban-regex on the mail.log for both sasl.conf and postfix.conf return results, but there are zero ban/unbans in the fail2ban log and no errors either, it doesn't seem to be trying at all. Obviously the syntax of the regex is okay, as it gets results, so I'm not sure where in the process this is breaking down.

I'm using Ubuntu 12.04 and Fail2ban updated to 0.8.8, set fail2ban loglevel to 4 and don't see any reason for the failure.

Please double-check that fail2ban is running (e.g. with

Code:

ps aux | grep fail2ban

). Maybe it stopped for some reason.

I experienced what may be the same issue (and it began happening all of a sudden).

Excerpted from the fail2ban mailing list:

Quote:

Hello,

Please forgive me if the solution to my problem is obvious, but I've
done quite a bit of searching-around and nothing has resonated.

I've been using fail2ban-0.8.6 on Ubuntu 10.04-1 LTS for at least a year
without issue (as far as I know).

But recently, it seems that some very persistent users/bots are not
being banned when they should be.

In particular, I see entries in my Linux Logwatch digests like this:

--------------------- SSHD Begin ------------------------

Failed logins from:
85.91.136.121 (85-91-136-121.varna.homelan.bg): 860 times
109.163.239.115: 17 times
173.208.232.143: 64 times
180.166.11.211: 1448 times
199.101.51.153 (host1.dbxmedia.com): 1638 times
216.114.69.35: 602 times

Illegal users from:
82.221.99.229: 8 times
85.91.136.121 (85-91-136-121.varna.homelan.bg): 1 time
173.208.232.143: 90 times
180.166.11.211: 37 times
216.114.69.35: 2 times

[...]

Received disconnect:
11: disconnected by user : 1 Time(s)

**Unmatched Entries**
PAM 3 more authentication failures; logname= uid=0 euid=0 tty=ssh
ruser= rhost=109.163.239.115 user=root : 11 time(s)
PAM service(sshd) ignoring max retries; 4 > 3 : 11 time(s)

---------------------- SSHD End -------------------------

860 times, 1448 times, 1638 times, 602 times... why aren't these bots
being banned after 3 times?

I executed the following in an effort to make that determination:

----------------------------------------------------------
# fail2ban-regex /var/log/auth.log.0 /etc/fail2ban/filter.d/sshd.conf

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/sshd.conf
Use log file : /var/log/auth.log.0

Results
=======

Failregex
|- Regular expressions:
| [...]
|
`- Number of matches:
[1] 0 match(es)
[2] 0 match(es)
[3] 4762 match(es)
[4] 0 match(es)
[5] 134 match(es)
[6] 0 match(es)
[7] 0 match(es)
[8] 0 match(es)
[9] 0 match(es)
[10] 0 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Addresses found:
[1]
[2]
[3]
[... thousands of matches printed here ...]
[6]
[7]
[8]
[9]
[10]

Date template hits:
148256 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Year.Month.Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s): <Month/Day/Year@Hour:Minute:Second>

Success, the total number of match is 4896

However, look at the above section 'Running tests' which could contain
important
information.
----------------------------------------------------------

The file /var/log/auth.log.0 contains log entries from Dec 2 03:33:48 to
Dec 2 06:28:15. If I inspect fail2ban's log entries for the same period
of time, I find only the following:

----------------------------------------------------------
2012-12-02 00:26:23,443 fail2ban.server : INFO Changed logging target
to /var/log/fail2ban.log for Fail2ban v0.8.6
2012-12-02 00:26:24,713 fail2ban.filter : INFO Log rotation detected
for /var/log/apache2/error.log
2012-12-02 00:26:24,723 fail2ban.filter : INFO Log rotation detected
for /var/log/apache2/error.log
2012-12-02 00:30:01,906 fail2ban.filter : INFO Log rotation detected
for /var/log/apache2/other_vhosts_access.log
2012-12-02 01:02:37,839 fail2ban.filter : INFO Log rotation detected
for /var/log/auth.log
2012-12-02 01:02:37,976 fail2ban.filter : INFO Log rotation detected
for /var/log/syslog
----------------------------------------------------------

The SSHd jail configuration is:

----------------------------------------------------------
[ssh]

enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
----------------------------------------------------------

Might anyone know why fail2ban registered absolutely nothing in its logs
during this ongoing login-per-second attempt, for hours on end, given
the output from fail2ban-regex, above?

Thanks for any pointers,

-Ben

Upgrading to 0.8.8 solved the problem for me. It is entirely possible (and quite likely) that upgrading to 0.8.8 was somewhat of a "red herring". Perhaps the upgrade process simply reset something that was botched-up. Given that you are already on 0.8.8, I'm not sure what to tell you to try next. Have you gone to the fail2ban mailing list with this?

Quote:

Originally Posted by falko (Post 289887)

Please double-check that fail2ban is running (e.g. with

Code:

ps aux | grep fail2ban

). Maybe it stopped for some reason.

Confirm that it is running, and the log does update with debug messages, just see no sign of ban or unban taking place.

Quote:

Originally Posted by cbj4074 (Post 289896)

I experienced what may be the same issue (and it began happening all of a sudden).

Excerpted from the fail2ban mailing list:

Upgrading to 0.8.8 solved the problem for me. It is entirely possible (and quite likely) that upgrading to 0.8.8 was somewhat of a "red herring". Perhaps the upgrade process simply reset something that was botched-up. Given that you are already on 0.8.8, I'm not sure what to tell you to try next. Have you gone to the fail2ban mailing list with this?

I haven't gone down the fail2ban mailing list route yet, wanted to see if anyone running more or less the same setup I am have experienced the same issue first.

Curious, what do you use for backend setting, it was set to 'auto' but I changed it to 'polling' and got no results

OK, well, it's "solved" now, CBJ, your post had me thinking that there must just be something amiss, so I did an apt-get purge on fail2ban, rebooted, reinstalled, and it worked. Seems weird, because I had done all of these process separately before, but doing that order seemed to get things up and running (using 0.8.8, not 0.8.6)