Fail2ban jail postfix brute force attempts to logins not banning the ip

Support
,
1

NethServer Version: 7.3.1611
Module: fail2ban

Viewing the imap log file, I see many unauthorized brute-force attempts to login to email server using the user email account, somehow the fail2ban doesn’t ban the ip.

In the imap log file. I see a large of this attempts:
Apr 26 10:08:08 mail dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth): user=<>, rip=110.52.235.221, lip=2xx.1xx.2xx.1xx, session=

Apr 26 10:08:10 mail dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth): user=<>, rip=110.52.235.221, lip=2xx.1xx.2xx.1xx, session=<9PeC4hRO7QBuNOvd>

Also the in secure log showing the pam_ssl / many attempts of failed logins. the Jail pam-generic does not seems to watch the pam-generic.service.

Status for the jail: pam-generic
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| - Journal matches: ( NOTHING SHOWING HERE )- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:

In the “secure” Log files … I get these attempts

Apr 24 19:36:36 mail auth: pam_sss(dovecot:auth): received for user rmm@.com: 7 (Authentication failure)
Apr 24 19:36:47 mail auth: pam_sss(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=rmm@.com rhost=1.162.76.76

Any suggestion how to re-configure or setup to ban or block the ip, much appreciated…

2

the pam-generic and the dovecot jails are bundled by the fail2ban rpm, I do not modified them. Could you send the real logs to look inside ?

3

Thanks for the quick response Stephane, how can I send the log files to you… May I have your email ? Thnx…
Regg

4

go to the wiki and open a module, you should find an email :slight_smile:

5

Thanks… I found and sent the log files to you…
Reggie

6

From the Log files your can see that it seems the Fail2Ban is not seeing the pam-generic’s report … no journal matching file. And also no Banning the ip by the brute-force logins multi-tries…

7

got a workaround, can you test it

vim /etc/fail2ban/filter.d/dovecot.conf

failregex = ^%(__prefix_line)s(?:%(__pam_auth)s(?:\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(?:\s+user=\S*)?\s*$

at the first line, remove the ‘^’

then
fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/dovecot.conf --print-all-matched

8

Thank you so much …Stephane…really appreciate the quick response…

The Test using fail2ban-regex looks good… finding the matches for authentication error…
I’d monitor it and see how it goes…

9

I really don’t understand why we need to remove the ‘^’. In a regex it says match at the beginning of the line. If you don’t remove it you have 3matches for the root user but the lines in the log look the same that your failled attempts.

Think to restart fail2ban once the regex is modified

10

Thanks … I did restart the fail2ban … Meanwhile, I also see see many of the apache-auth login attempts / errors as well but the fail2ban not banning the IP even there were many retries… at least there are filtered.
Similarly issues for the postfix jail too it seems…

12

rpm -qa |grep -i fail2ban

Please

13

This is what I have…

fail2ban-shorewall-0.9.6-3.el7.noarch
fail2ban-server-0.9.6-3.el7.noarch
fail2ban-firewalld-0.9.6-3.el7.noarch
nethserver-fail2ban-0.1.9-1.ns7.sdl.noarch
fail2ban-sendmail-0.9.6-3.el7.noarch
fail2ban-0.9.6-3.el7.noarch

14

Would you mind to send me the apache log and the postfix one too.

16

Just emailed to you…

17

nothing received, can you attach also the fail2ban log

18

Will send the fail2ban log right away…
(Sent) other log files are in zipped files…

19

how can you state that fail2ban did not ban the IP…I’m curious on it.

In fact when you restart fail2ban, the database is cleaned and the total banned statistic is set to zero. I just verified it.

20

Yes those IP you see in the log has been coming for past 1 month… same group. When the attempts logins are very close, ie within few minutes apart it works ok. I was wondering how to BAN those IPs that tries to login an hour or so apart and keep rotating the the last ip Segment… Yes I restart the Fail2Ban a few times trying to adjust the configurations to resolve some of the problem on PostFix and Dovecot Jail functions. ( I actually can live with the httpd-auth issues, at least they are filtered, just nuisance … ) Sorry I didn’t send you the old logs… & I deleted many of them too.

it’s the POSTFIX and DOVECOT brute force login attempts that bother me more…somehow they are never BANNED.

21

I did not receive your last logs…sorry :slight_smile:

23

Fun i received the one with imap/secure logs