signal-event nethserver-fail2ban-save
sent you the log, from the restart on
2020-03-03 22:30:50,357 fail2ban.filter [11859]: ERROR No failure-id group in '^(?:\[\])?\s*(?:<[^.]+\.[^.]+>\s+)?(?:\S+\s+)?(?:kernel:\s?\[ *\d+\.\d+\]:?\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?\S*(?:\(\S+\))?[\]\)]?:?|[\[\(]?\S*(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID \d+ \S+\]\s+)?(?:pop3-login|imap-login):.*(Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(tried to use disallowed plaintext auth).*\s+rip=(?P<host>\S*),.*'
2020-03-03 22:30:50,357 fail2ban.transmitter [11859]: WARNING Command ['server-stream', [['set', 'syslogsocket', 'auto'], ['set', 'loglevel', 'INFO'], ['set', 'logtarget', '/var/log/fail2ban.log'], ['set', 'dbfile', '/var/lib/fail2ban/fail2ban.sqlite3'], ['set', 'dbmaxmatches', 10
like you can see you have a huge crash in fail2ban.log, disable the dovecot jail and check the log, but after you have to do it for each jail, until you find which jail crashs the service⊠no much idea right now
can I just remove the whole fail2ban with all settings an reinstall ist?
what do I have to delete so there would be a clean install?
yum remove \*fail2ban\*
rm -rf /etc/fail2ban
config delete fail2ban
yum install nethserver-fail2ban
time to go to bed, the day was insane
thank you;
Iâll try it an Iâll report. My day was also insane. my be the times we live in
a clean new install did not change anything
still the huge crash.
when I disable dovecot anything works fine. so ist defenitly a dovecot Problem
Send me your secure and imap log please
sent you a link
did you find anything in the logs?
not much the logs are good, check the permission
[root@prometheus ~]# ll /var/log/imap
-rw------- 1 root root 1425201 Mar 4 21:59 /var/log/imap
[root@prometheus ~]# ll /var/log/secure
-rw------- 1 root root 2197105 Mar 4 22:07 /var/log/secure
I do not know where to search now :?
[root@prometheus ~]# fail2ban-regex imap /etc/fail2ban/filter.d/dovecot.conf
Running tests
=============
Use failregex filter file : dovecot, basedir: /etc/fail2ban
Use datepattern : Default Detectors
Use log file : imap
Use encoding : UTF-8
Results
=======
Failregex: 2512 total
|- #) [# of hits] regular expression
| 2) [2512] ^(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\):(?: user=<<F-USER>[^>]*</F-USER>>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [11146] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-
Lines: 11146 lines, 0 ignored, 2512 matched, 8634 missed
[processed in 1.25 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 8634 lines
[root@prometheus ~]# fail2ban-regex secure /etc/fail2ban/filter.d/dovecot.conf
Running tests
=============
Use failregex filter file : dovecot, basedir: /etc/fail2ban
Use datepattern : Default Detectors
Use log file : secure
Use encoding : UTF-8
Results
=======
Failregex: 3367 total
|- #) [# of hits] regular expression
| 1) [3367] ^authentication failure; logname=<F-ALT_USER1>\S*</F-ALT_USER1> uid=\S* euid=\S* tty=dovecot ruser=<F-USER>\S*</F-USER> rhost=<HOST>(?:\s+user=<F-ALT_USER>\S*</F-ALT_USER>)?\s*$
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [18255] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-
Lines: 18255 lines, 0 ignored, 3367 matched, 14888 missed
[processed in 2.07 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 14888 lines
I need to check more but I think we should switch to /var/log/secure
for dovecot, like you saw we have more match on my server.
ok, thank you again for your help, fail to ban is up now at least for all the other jails and banned already over 600 IPs. so it helps already.
Will you update the packed or should I switch manualy to /var/log/secure?
donât know I need to share with the dev_team
For what I read in your log file you have a lot of bad attempts under dovecot jail
yep, thats why I want to ban them