Viewing the imap log file, I see many unauthorized brute-force attempts to login to email server using the user email account, somehow the fail2ban doesn’t ban the ip.
In the imap log file. I see a large of this attempts:
Apr 26 10:08:08 mail dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth): user=<>, rip=110.52.235.221, lip=2xx.1xx.2xx.1xx, session=
Apr 26 10:08:10 mail dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth): user=<>, rip=110.52.235.221, lip=2xx.1xx.2xx.1xx, session=<9PeC4hRO7QBuNOvd>
Also the in secure log showing the pam_ssl / many attempts of failed logins. the Jail pam-generic does not seems to watch the pam-generic.service.
Status for the jail: pam-generic
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| - Journal matches: ( NOTHING SHOWING HERE )- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
In the “secure” Log files … I get these attempts
Apr 24 19:36:36 mail auth: pam_sss(dovecot:auth): received for user rmm@.com: 7 (Authentication failure)
Apr 24 19:36:47 mail auth: pam_sss(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=rmm@.com rhost=1.162.76.76
Any suggestion how to re-configure or setup to ban or block the ip, much appreciated…
From the Log files your can see that it seems the Fail2Ban is not seeing the pam-generic’s report … no journal matching file. And also no Banning the ip by the brute-force logins multi-tries…
I really don’t understand why we need to remove the ‘^’. In a regex it says match at the beginning of the line. If you don’t remove it you have 3matches for the root user but the lines in the log look the same that your failled attempts.
Think to restart fail2ban once the regex is modified
Thanks … I did restart the fail2ban … Meanwhile, I also see see many of the apache-auth login attempts / errors as well but the fail2ban not banning the IP even there were many retries… at least there are filtered.
Similarly issues for the postfix jail too it seems…
Yes those IP you see in the log has been coming for past 1 month… same group. When the attempts logins are very close, ie within few minutes apart it works ok. I was wondering how to BAN those IPs that tries to login an hour or so apart and keep rotating the the last ip Segment… Yes I restart the Fail2Ban a few times trying to adjust the configurations to resolve some of the problem on PostFix and Dovecot Jail functions. ( I actually can live with the httpd-auth issues, at least they are filtered, just nuisance … ) Sorry I didn’t send you the old logs… & I deleted many of them too.
it’s the POSTFIX and DOVECOT brute force login attempts that bother me more…somehow they are never BANNED.