Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 21st November 2012, 21:27
blinden blinden is offline
Member
 
Join Date: Sep 2010
Posts: 41
Thanks: 3
Thanked 3 Times in 3 Posts
Default Fail2Ban not banning on dovecot service

New to fail2ban, and just trying to get my settings right

ISPConfig3
Ubuntu 12.04.1 LTS
completely up to date.

Had a long string of these, probably over 1000 of them in alphabetical order from mail.log:

Nov 21 14:01:24 mailserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<winston@domain.net>, method=PLAIN, rip=85.13.200.50, lip=10.0.0.22
Nov 21 14:01:41 mailserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<wolf@domain.net>, method=PLAIN, rip=85.13.200.50, lip=10.0.0.22
Nov 21 14:01:58 mailserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<wolfgang@domain.net>, method=PLAIN, rip=85.13.200.50, lip=10.0.0.22
Nov 21 14:02:15 mailserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<woody@domain.net>, method=PLAIN, rip=85.13.200.50, lip=10.0.0.22

from /etc/fail2ban/filter.d/dovecot.conf:

Original, which was commented out
#failregex = .*(?op3-login|imap-login):.*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*

Modified:
failregex = (?: pop3-login|imap-login): .*(?isconnected|Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*

from /etc/fail2ban/jail.conf:

[dovecot]

enabled = true
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = dovecot
logpath = /var/log/mail.log
maxretry = 5
findtime = 3600
bantime = 1200

Last edited by blinden; 21st November 2012 at 21:32.
Reply With Quote
Sponsored Links
  #2  
Old 19th December 2012, 22:07
blinden blinden is offline
Member
 
Join Date: Sep 2010
Posts: 41
Thanks: 3
Thanked 3 Times in 3 Posts
Default

Still having this problem, would like to revisit it briefly, just to see if anyone else is having similar issue.

Running fail2ban-regex on the mail.log for both sasl.conf and postfix.conf return results, but there are zero ban/unbans in the fail2ban log and no errors either, it doesn't seem to be trying at all. Obviously the syntax of the regex is okay, as it gets results, so I'm not sure where in the process this is breaking down.

I'm using Ubuntu 12.04 and Fail2ban updated to 0.8.8, set fail2ban loglevel to 4 and don't see any reason for the failure.
Reply With Quote
  #3  
Old 20th December 2012, 14:01
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,752 Times in 2,582 Posts
Default

Please double-check that fail2ban is running (e.g. with
Code:
ps aux | grep fail2ban
). Maybe it stopped for some reason.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #4  
Old 20th December 2012, 23:43
cbj4074 cbj4074 is offline
Senior Member
 
Join Date: Nov 2010
Posts: 395
Thanks: 30
Thanked 58 Times in 50 Posts
Default

I experienced what may be the same issue (and it began happening all of a sudden).

Excerpted from the fail2ban mailing list:

Quote:
Hello,

Please forgive me if the solution to my problem is obvious, but I've
done quite a bit of searching-around and nothing has resonated.

I've been using fail2ban-0.8.6 on Ubuntu 10.04-1 LTS for at least a year
without issue (as far as I know).

But recently, it seems that some very persistent users/bots are not
being banned when they should be.

In particular, I see entries in my Linux Logwatch digests like this:

--------------------- SSHD Begin ------------------------


Failed logins from:
85.91.136.121 (85-91-136-121.varna.homelan.bg): 860 times
109.163.239.115: 17 times
173.208.232.143: 64 times
180.166.11.211: 1448 times
199.101.51.153 (host1.dbxmedia.com): 1638 times
216.114.69.35: 602 times

Illegal users from:
82.221.99.229: 8 times
85.91.136.121 (85-91-136-121.varna.homelan.bg): 1 time
173.208.232.143: 90 times
180.166.11.211: 37 times
216.114.69.35: 2 times

[...]

Received disconnect:
11: disconnected by user : 1 Time(s)

**Unmatched Entries**
PAM 3 more authentication failures; logname= uid=0 euid=0 tty=ssh
ruser= rhost=109.163.239.115 user=root : 11 time(s)
PAM service(sshd) ignoring max retries; 4 > 3 : 11 time(s)

---------------------- SSHD End -------------------------

860 times, 1448 times, 1638 times, 602 times... why aren't these bots
being banned after 3 times?

I executed the following in an effort to make that determination:

----------------------------------------------------------
# fail2ban-regex /var/log/auth.log.0 /etc/fail2ban/filter.d/sshd.conf

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/sshd.conf
Use log file : /var/log/auth.log.0


Results
=======

Failregex
|- Regular expressions:
| [...]
|
`- Number of matches:
[1] 0 match(es)
[2] 0 match(es)
[3] 4762 match(es)
[4] 0 match(es)
[5] 134 match(es)
[6] 0 match(es)
[7] 0 match(es)
[8] 0 match(es)
[9] 0 match(es)
[10] 0 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Addresses found:
[1]
[2]
[3]
[... thousands of matches printed here ...]
[6]
[7]
[8]
[9]
[10]

Date template hits:
148256 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Year.Month.Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s): <Month/Day/Year@Hour:Minute:Second>

Success, the total number of match is 4896

However, look at the above section 'Running tests' which could contain
important
information.
----------------------------------------------------------


The file /var/log/auth.log.0 contains log entries from Dec 2 03:33:48 to
Dec 2 06:28:15. If I inspect fail2ban's log entries for the same period
of time, I find only the following:

----------------------------------------------------------
2012-12-02 00:26:23,443 fail2ban.server : INFO Changed logging target
to /var/log/fail2ban.log for Fail2ban v0.8.6
2012-12-02 00:26:24,713 fail2ban.filter : INFO Log rotation detected
for /var/log/apache2/error.log
2012-12-02 00:26:24,723 fail2ban.filter : INFO Log rotation detected
for /var/log/apache2/error.log
2012-12-02 00:30:01,906 fail2ban.filter : INFO Log rotation detected
for /var/log/apache2/other_vhosts_access.log
2012-12-02 01:02:37,839 fail2ban.filter : INFO Log rotation detected
for /var/log/auth.log
2012-12-02 01:02:37,976 fail2ban.filter : INFO Log rotation detected
for /var/log/syslog
----------------------------------------------------------


The SSHd jail configuration is:

----------------------------------------------------------
[ssh]

enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
----------------------------------------------------------


Might anyone know why fail2ban registered absolutely nothing in its logs
during this ongoing login-per-second attempt, for hours on end, given
the output from fail2ban-regex, above?

Thanks for any pointers,

-Ben
Upgrading to 0.8.8 solved the problem for me. It is entirely possible (and quite likely) that upgrading to 0.8.8 was somewhat of a "red herring". Perhaps the upgrade process simply reset something that was botched-up. Given that you are already on 0.8.8, I'm not sure what to tell you to try next. Have you gone to the fail2ban mailing list with this?
Reply With Quote
The Following User Says Thank You to cbj4074 For This Useful Post:
falko (21st December 2012)
  #5  
Old 21st December 2012, 22:57
blinden blinden is offline
Member
 
Join Date: Sep 2010
Posts: 41
Thanks: 3
Thanked 3 Times in 3 Posts
Default

Quote:
Originally Posted by falko View Post
Please double-check that fail2ban is running (e.g. with
Code:
ps aux | grep fail2ban
). Maybe it stopped for some reason.
Confirm that it is running, and the log does update with debug messages, just see no sign of ban or unban taking place.

Quote:
Originally Posted by cbj4074 View Post
I experienced what may be the same issue (and it began happening all of a sudden).

Excerpted from the fail2ban mailing list:



Upgrading to 0.8.8 solved the problem for me. It is entirely possible (and quite likely) that upgrading to 0.8.8 was somewhat of a "red herring". Perhaps the upgrade process simply reset something that was botched-up. Given that you are already on 0.8.8, I'm not sure what to tell you to try next. Have you gone to the fail2ban mailing list with this?
I haven't gone down the fail2ban mailing list route yet, wanted to see if anyone running more or less the same setup I am have experienced the same issue first.

Curious, what do you use for backend setting, it was set to 'auto' but I changed it to 'polling' and got no results

Last edited by blinden; 21st December 2012 at 23:19.
Reply With Quote
  #6  
Old 22nd December 2012, 00:31
blinden blinden is offline
Member
 
Join Date: Sep 2010
Posts: 41
Thanks: 3
Thanked 3 Times in 3 Posts
 
Default

OK, well, it's "solved" now, CBJ, your post had me thinking that there must just be something amiss, so I did an apt-get purge on fail2ban, rebooted, reinstalled, and it worked. Seems weird, because I had done all of these process separately before, but doing that order seemed to get things up and running (using 0.8.8, not 0.8.6)
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
MySQL Error Nolan Installation/Configuration 13 27th November 2014 06:04
ISPConfig 3 Single server issues on POP3/IMAP/ MyDNS vk1003 Installation/Configuration 7 17th July 2012 16:25
haproxy with stunnel problem abubin Server Operation 6 10th April 2012 16:08
ISPConfig3 won't start after update Cracklefish Installation/Configuration 15 28th February 2012 15:11
Postfix can't received email from exterior astra2000 Server Operation 5 18th October 2009 00:26


All times are GMT +2. The time now is 10:47.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.