Fail2ban does not ban with dovecot jail

Support
,
1

NethServer Version: NethServer release 7.6.1810 (final)
Module: nethserver-fail2ban-1.1.10-1.ns7.noarch

fail2ban is not banning any IP even there are many failures in the secure log. all of them are
auth: pam_unix(dovecot:auth) and pam_sss(dovecot:auth):

When testing the regex with
fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/dovecot.conf --print-all-matched
I see the IP addresses which should be banned.
There are some error messages in the fail2ban log:
fail2ban.filter [2912]: ERROR No failure-id group in '^(?:\[\])?\s*(?:<[^.]+\.[^.]+>\s+)?(?:\S+\s+)?(?:kernel:\s?\[ *\d+\.\d+\]:?\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?\S*(?:\(\S+\))?[ \]\)]?:?|[\[\(]?\S*(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID \d+ \S+\]\s+)?(?:pop3-login|imap-login):.*(Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(tried to use disal lowed plaintext auth).*\s+rip=(?P<host>\S*),.*'

a 2nd one starting with (its verry long)
2020-03-01 08:10:04,557 fail2ban.transmitter [2912]: WARNING Command
and 3rd:
2020-03-01 08:10:04,559 fail2ban [2912]: ERROR NOK: ("No failure-id group in '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel:\\s?\\[ *\\d+\\.\\d+\\]:?\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?: \\s+[\\[\\(]?\\S*(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?\\S*(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(?:pop3-login|imap-login):.*(Authentication failure|Aborted login \\(auth failed|Aborted login \\(t ried to use disabled|Disconnected \\(tried to use disallowed plaintext auth).*\\s+rip=(?P<host>\\S*),.*'",)
Any help is appreciated

1 Like
2

Indeed I decided to use /var/log/imap to catch bad login, but I can see that I have more matched with /var/log/secure, maybe we could consider to switch to /var/log/secure instead of /var/log/imap

[dovecot]
enabled = true
port = 110,143,4190,993,995
logpath = /var/log/imap
maxretry = 3


[dovecot-nethserver]
enabled = true
port = 110,143,4190,993,995
logpath = /var/log/imap
maxretry = 3
3

in jail.local for the dovecot jail

-logpath = /var/log/imap
+logpath = /var/log/secure

I suspect a Fail2ban0.10 effect here

4

or change in /etc/e-smith/templates/etc/fail2ban/jail.local/10dovecot

and signal-event nethserver-fail2ban-save

5

did all this changes, still no banns at all here

6

fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/dovecot.conf --print-all-matched

Use a gist and display us please

7

what’s a gist?

8
9

I’m sorry, since I’m no developer I never used github so I realy dont know what I should do there :slight_smile:
The command output ends with:
Missed line(s): too many to print. Use --print-all-missed to print all 13446 lines
I could mail you at least some of lines of the output, they are all the same just some different IP-Adresses on the rhost. I’m not sure if I want them openly shown on here :thinking:
There are many local IP’s but also a lot of others which should be banned.

10

without evidences I cannot state

11

they all look like this one:
| Mar 3 21:31:58 home2 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=peter rhost=141.98.80.146 user=peter

12

hundreds of them since march 1st

13

fail2ban bans when it finds an IP several time in a specified time

For example if a jail found an IP three time in a FindTime of ten minutes, then it ban it (default configuration)

you have to check /var/log/fail2ban.log and also all relevant logs of the jail you are looking

14

I did.
I find in the secure log enough IPs it should ban. nothing in the fail2ban log. and nothing is banned

15

try to restart the service, and expose us the log, you can send me at stephdl at de-labrusse.fr

16

mail ist sent

17

config show fail2ban

I have the feeling that you have enabled the debug log, bot sure it is good, indeed no found or no ban in your logs

18

yes I did, I thought I’ll find something, I will disable it again :slight_smile:
if you need I’ll mail you a downloadlink for the secure log

19

I saw something like a crash due to the filters, do you have some custom filters ?

Try to reconfigure

signal-event nethserver-filter-save

20

not that I know any :thinking:

running the reconfigure command result:
Can't open directory /etc/e-smith/events/nethserver-filter-save