ISPConfit 2 fail2ban problem with dovecot

Discussion in 'Installation/Configuration' started by andron26, Apr 12, 2012.

  1. andron26

    andron26 Member

    Hi,

    I've installed latest ISPConfig 2 on fedora 15 with perfect setup.
    In ISPC I've turned off firewall.

    Trying to configure fail2ban to block failed logins to dovecot server.

    dovecot.conf in filter.d folder:

    [Definition]
    failregex = (?: pop3-login|imap_login ): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(auth failed|Disconnected).*rip=(<HOST>),.*
    ignoreregex =

    dovecot part in jail.conf

    [dovecot-pop3imap]
    enabled = true
    filter = dovecot
    action = iptables-multiport[name=dovecot-pop3imap, port="110,143,995,993,25,465,587"]
    logpath = /var/log/maillog
    maxretry = 5
    findtime = 600
    bantime = 3600

    Ssh failed attempts are blocked, but dovecot not.
    I've stucked. What could be wrong?
    If I run fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/dovecot.conf:
    Running tests
    =============

    Use regex file : /etc/fail2ban/filter.d/dovecot.conf
    Use log file : /var/log/maillog


    Results
    =======

    Failregex
    |- Regular expressions:
    | [1] (?: pop3-login|imap_login ): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(auth failed|Disconnected).*rip=(<HOST>),.*
    |
    `- Number of matches:
    [1] 22528 match(es)

    Ignoreregex
    |- Regular expressions:
    |
    `- Number of matches:

    Summary
    =======

    Addresses found:
    [1]
    173.192.142.34 (Sun Apr 08 06:58:42 2012)
    173.192.142.34 (Sun Apr 08 06:58:42 2012)
    173.192.142.34 (Sun Apr 08 06:58:42 2012)
    173.192.142.34 (Sun Apr 08 06:58:47 2012)
    173.192.142.34 (Sun Apr 08 06:58:47 2012)
    173.192.142.34 (Sun Apr 08 06:58:47 2012)
    173.192.142.34 (Sun Apr 08 06:58:52 2012)
    210.26.5.2 (Thu Apr 12 18:27:40 2012)
    210.26.5.2 (Thu Apr 12 18:27:52 2012)
    210.26.5.2 (Thu Apr 12 18:27:52 2012)
    210.26.5.2 (Thu Apr 12 18:30:40 2012)
    210.26.5.2 (Thu Apr 12 18:30:52 2012)
    210.26.5.2 (Thu Apr 12 18:30:52 2012)

    Date template hits:
    63317 hit(s): MONTH Day Hour:Minute:Second
    0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
    0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
    0 hit(s): Year/Month/Day Hour:Minute:Second
    0 hit(s): Day/Month/Year Hour:Minute:Second
    0 hit(s): Day/MONTH/Year:Hour:Minute:Second
    0 hit(s): Month/Day/Year:Hour:Minute:Second
    0 hit(s): Year-Month-Day Hour:Minute:Second
    0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
    0 hit(s): Day-Month-Year Hour:Minute:Second
    0 hit(s): TAI64N
    0 hit(s): Epoch
    0 hit(s): ISO 8601
    0 hit(s): Hour:Minute:Second
    0 hit(s): <Month/Day/Year@Hour:Minute:Second>

    Success, the total number of match is 22528

    However, look at the above section 'Running tests' which could contain important
    information.
     
  2. falko

    falko Super Moderator ISPConfig Developer

    Did you restart fail2ban?

    What's in /var/log/maillog when there's a failed Dovecot login attempt?
     
  3. andron26

    andron26 Member

    Yes, I've restarted fail2ban.
    SSH rule works and proftpd too.
    Log:


    Apr 8 07:11:17 fed dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<gopher>, method=PLAIN, rip=173.192.142.34, lip=x.x.x..83
    Apr 8 07:11:21 fed dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<root>, method=PLAIN, rip=173.192.142.34, lip=x.x.x..82
    Apr 8 07:11:21 fed dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<root>, method=PLAIN, rip=173.192.142.34, lip=x.x.x..81
    Apr 8 07:11:21 fed dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<root>, method=PLAIN, rip=173.192.142.34, lip=x.x.x..83
    Apr 8 07:11:25 fed dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<root>, method=PLAIN, rip=173.192.142.34, lip=x.x.x..81
    Apr 8 07:11:25 fed dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<root>, method=PLAIN, rip=173.192.142.34, lip=x.x.x..82
    Apr 8 07:11:25 fed dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<root>, method=PLAIN, rip=173.192.142.34, lip=x.x.x..83
    Apr 8 07:11:29 fed dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<root>, method=PLAIN, rip=173.192.142.34, lip=x.x.x..81
    Apr 8 07:11:29 fed dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<root>, method=PLAIN, rip=173.192.142.34, lip=x.x.x..82
    Apr 8 07:11:29 fed dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<root>, method=PLAIN, rip=173.192.142.34, lip=x.x.x..83
    Apr 8 07:11:33 fed dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<root>, method=PLAIN, rip=173.192.142.34, lip=x.x.x..83
    Apr 8 07:11:33 fed dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<root>, method=PLAIN, rip=173.192.142.34, lip=x.x.x..81
     
    Last edited: Apr 14, 2012

Share This Page