Fail2ban does not ban with dovecot jail

NethServer Version: NethServer release 7.6.1810 (final)
Module: nethserver-fail2ban-1.1.10-1.ns7.noarch

fail2ban is not banning any IP even there are many failures in the secure log. all of them are
auth: pam_unix(dovecot:auth) and pam_sss(dovecot:auth):

When testing the regex with
fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/dovecot.conf --print-all-matched
I see the IP addresses which should be banned.
There are some error messages in the fail2ban log:
fail2ban.filter [2912]: ERROR No failure-id group in '^(?:\[\])?\s*(?:<[^.]+\.[^.]+>\s+)?(?:\S+\s+)?(?:kernel:\s?\[ *\d+\.\d+\]:?\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?\S*(?:\(\S+\))?[ \]\)]?:?|[\[\(]?\S*(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID \d+ \S+\]\s+)?(?:pop3-login|imap-login):.*(Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(tried to use disal lowed plaintext auth).*\s+rip=(?P<host>\S*),.*'

a 2nd one starting with (its verry long)
2020-03-01 08:10:04,557 fail2ban.transmitter [2912]: WARNING Command
and 3rd:
2020-03-01 08:10:04,559 fail2ban [2912]: ERROR NOK: ("No failure-id group in '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel:\\s?\\[ *\\d+\\.\\d+\\]:?\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?: \\s+[\\[\\(]?\\S*(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?\\S*(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(?:pop3-login|imap-login):.*(Authentication failure|Aborted login \\(auth failed|Aborted login \\(t ried to use disabled|Disconnected \\(tried to use disallowed plaintext auth).*\\s+rip=(?P<host>\\S*),.*'",)
Any help is appreciated

1 Like

Indeed I decided to use /var/log/imap to catch bad login, but I can see that I have more matched with /var/log/secure, maybe we could consider to switch to /var/log/secure instead of /var/log/imap

enabled = true
port = 110,143,4190,993,995
logpath = /var/log/imap
maxretry = 3

enabled = true
port = 110,143,4190,993,995
logpath = /var/log/imap
maxretry = 3

in jail.local for the dovecot jail

-logpath = /var/log/imap
+logpath = /var/log/secure

I suspect a Fail2ban0.10 effect here

or change in /etc/e-smith/templates/etc/fail2ban/jail.local/10dovecot

and signal-event nethserver-fail2ban-save

did all this changes, still no banns at all here

fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/dovecot.conf --print-all-matched

Use a gist and display us please

what’s a gist?

I’m sorry, since I’m no developer I never used github so I realy dont know what I should do there :slight_smile:
The command output ends with:
Missed line(s): too many to print. Use --print-all-missed to print all 13446 lines
I could mail you at least some of lines of the output, they are all the same just some different IP-Adresses on the rhost. I’m not sure if I want them openly shown on here :thinking:
There are many local IP’s but also a lot of others which should be banned.

without evidences I cannot state

they all look like this one:
| Mar 3 21:31:58 home2 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=peter rhost= user=peter

hundreds of them since march 1st

fail2ban bans when it finds an IP several time in a specified time

For example if a jail found an IP three time in a FindTime of ten minutes, then it ban it (default configuration)

you have to check /var/log/fail2ban.log and also all relevant logs of the jail you are looking

I did.
I find in the secure log enough IPs it should ban. nothing in the fail2ban log. and nothing is banned

try to restart the service, and expose us the log, you can send me at stephdl at

mail ist sent

config show fail2ban

I have the feeling that you have enabled the debug log, bot sure it is good, indeed no found or no ban in your logs

yes I did, I thought I’ll find something, I will disable it again :slight_smile:
if you need I’ll mail you a downloadlink for the secure log

I saw something like a crash due to the filters, do you have some custom filters ?

Try to reconfigure

signal-event nethserver-filter-save

not that I know any :thinking:

running the reconfigure command result:
Can't open directory /etc/e-smith/events/nethserver-filter-save