Fail2Ban not banning on dovecot service

Discussion in 'Installation/Configuration' started by blinden, Nov 21, 2012.

  1. blinden

    blinden New Member

    New to fail2ban, and just trying to get my settings right

    ISPConfig3
    Ubuntu 12.04.1 LTS
    completely up to date.

    Had a long string of these, probably over 1000 of them in alphabetical order from mail.log:

    Nov 21 14:01:24 mailserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<[email protected]>, method=PLAIN, rip=85.13.200.50, lip=10.0.0.22
    Nov 21 14:01:41 mailserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<[email protected]>, method=PLAIN, rip=85.13.200.50, lip=10.0.0.22
    Nov 21 14:01:58 mailserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<[email protected]>, method=PLAIN, rip=85.13.200.50, lip=10.0.0.22
    Nov 21 14:02:15 mailserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<[email protected]>, method=PLAIN, rip=85.13.200.50, lip=10.0.0.22

    from /etc/fail2ban/filter.d/dovecot.conf:

    Original, which was commented out
    #failregex = .*(?:pop3-login|imap-login):.*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*

    Modified:
    failregex = (?: pop3-login|imap-login): .*(?:Disconnected|Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*

    from /etc/fail2ban/jail.conf:

    [dovecot]

    enabled = true
    port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
    filter = dovecot
    logpath = /var/log/mail.log
    maxretry = 5
    findtime = 3600
    bantime = 1200
     
    Last edited: Nov 21, 2012
  2. blinden

    blinden New Member

    Still having this problem, would like to revisit it briefly, just to see if anyone else is having similar issue.

    Running fail2ban-regex on the mail.log for both sasl.conf and postfix.conf return results, but there are zero ban/unbans in the fail2ban log and no errors either, it doesn't seem to be trying at all. Obviously the syntax of the regex is okay, as it gets results, so I'm not sure where in the process this is breaking down.

    I'm using Ubuntu 12.04 and Fail2ban updated to 0.8.8, set fail2ban loglevel to 4 and don't see any reason for the failure.
     
  3. falko

    falko Super Moderator ISPConfig Developer

    Please double-check that fail2ban is running (e.g. with
    Code:
    ps aux | grep fail2ban
    ). Maybe it stopped for some reason.
     
  4. cbj4074

    cbj4074 Member HowtoForge Supporter

    I experienced what may be the same issue (and it began happening all of a sudden).

    Excerpted from the fail2ban mailing list:

    Upgrading to 0.8.8 solved the problem for me. It is entirely possible (and quite likely) that upgrading to 0.8.8 was somewhat of a "red herring". Perhaps the upgrade process simply reset something that was botched-up. Given that you are already on 0.8.8, I'm not sure what to tell you to try next. Have you gone to the fail2ban mailing list with this?
     
  5. blinden

    blinden New Member

    Confirm that it is running, and the log does update with debug messages, just see no sign of ban or unban taking place.

    I haven't gone down the fail2ban mailing list route yet, wanted to see if anyone running more or less the same setup I am have experienced the same issue first.

    Curious, what do you use for backend setting, it was set to 'auto' but I changed it to 'polling' and got no results
     
    Last edited: Dec 21, 2012
  6. blinden

    blinden New Member

    OK, well, it's "solved" now, CBJ, your post had me thinking that there must just be something amiss, so I did an apt-get purge on fail2ban, rebooted, reinstalled, and it worked. Seems weird, because I had done all of these process separately before, but doing that order seemed to get things up and running (using 0.8.8, not 0.8.6)
     

Share This Page