Fail2ban jail postfix brute force attempts to logins not banning the ip

Ok… pls check… already sent … I’d be stepping out for a few hours. Thnkx again.

Me too…I will ride about 50km with my mountainbike tomorrow

Have fun…on your mountain bike…Cheers…

Thanks, I have no more legs today…they killed me

The logs you sent me showed that the recidive and the apache jail work. To state on this, the fail2ban log is the way because the statistic displayed by the fail2ban-client status [JAILNAME] is set to zero when the service restarts.

Concerning the workaround in the post above (remove ‘^’) does it work ?

I want to go to the fail2ban Issue tracking and ask why I need to remove it :-?

Hi Stephane…

You must have a wonderful time biking…lots of biking trails around where I live too, but we have so much rain lately… not a chance for me to go riding…

removing the “^” doesn’t seen to work…

I don’t quite understand how the failo2ban works… I see the Fail2Ban check against the 2 services (postfix.service and dovecot.service ) instead of the log files - IMAP & MAILLOG…

The IMAP & MAILLOG log files showed many unauthorized brute force login attempts … somehow the fail2ban didn’t banned the IP, the fail2ban.log doesn’t show any banned IP.
Not sure what to check for…

[root@mail ~]# fail2ban-client status postfix
Status for the jail: postfix
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| - Journal matches: _SYSTEMD_UNIT=postfix.service- Actions
|- Currently banned: 0
|- Total banned: 0
- Banned IP list: [root@mail ~]# fail2ban-client status dovecot Status for the jail: dovecot |- Filter | |- Currently failed: 0 | |- Total failed: 0 |- Journal matches: _SYSTEMD_UNIT=dovecot.service
- Actions |- Currently banned: 0 |- Total banned: 0- Banned IP list:

Most of the unauthorized brute force login attempts on the DOVECOT are using the POP3 protocol…

@davidep where the dovecot service is supposed to log ?

we can see also a lot of bad login in the secure log.

/var/log/imap

Does the failed attempts are still actually occurring, fail2ban by default looks in logs for a period of 900 seconds…failed attempts anterior are not banned. At this point the best way to see if the jail work is the method in the post above

fail2ban-regex /var/log/imap /etc/fail2ban/filter.d/dovecot.conf --print-all-matched

we can specify the log name if we want but if fail2ban doesn’t find the good log to watch it crashes. Please can you send me the IMAP and the MAILLOG logs

Interesting topic, we must close it with a solution

Hi Stephane,

I sent you the IMAP and MAILLOG files… just now…
The Jail Postfix and Jail Dovecot are matching against 2 services. … the postfix.service and dovecot… Not sure if those services pick up the brute force login attempts. It seems Fail2ban is not running the matches against the IMAP & MAILLOG files

I tried running " systemctl status postfix.service -a "… it showed partial of the recent logins including the failed attempts, but the fail2ban didn’t seems to pickup & ban the IP’s. Similarly I can run the " systemctl status dovecot -a ", I missed seeing the failed login attempts… ( Not sure if it shows it at all ).

I’m doing an update to set a specific log name to this jails

In addition… I notice the postfix-rbl and pam_generic are not matching to any log files.
Could that be the reason why they don’t seem to work ?

[root@mail ~]# fail2ban-client status postfix-rbl
Status for the jail: postfix-rbl
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| - Journal matches:- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:

fail2ban-client status pam-generic
Status for the jail: pam-generic
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| - Journal matches:- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:

would you please post the jail you tricked
cat /etc/fail2ban/filter.d/dovecot.conf

Here’s the Dovecot details
This is the line I changed as per your recommendation… removing the “^”

failregex = %(__prefix_line)s(?:%(__pam_auth)s(?:(dovecot:auth))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=(?:\s+user=\S*)?\s*$

I’d send you the file… When I try to paste the whole file contents here, the display messes up…

some feed for thoughts

• for the secure log

the bugs came from the pam_sss which was not watched, the jail was looking only after pam_unix. I need to add a custom jail to look after the two directives.

I suppose that if dovecot doesn’t log failed logins to /var/log/imap (but in the secure log) is wanted by the setting
/etc/dovecot/dovecot.conf:209:# auth_verbose = yes

• for the imap log

the dovecot jail doesn’t match your lines in the imap file. I don’t see the evident reason, but I know this dovecot jail is often tricked following the need. I will provide also a custom jail to ban the attackers.

@rmk please install the new rpm by a yum update

you need to monitor the logs during sometime, you can follow the ban by the fail2ban log or the command ‘fail2ban-listban’

think that you cannot ban an IP which is anterior to the Findtime value (900 seconds by default), only newer IP might be banned.

to @all you should monitor your logs…Fail2ban was not fully tested for ns7…you should look after for ns6 also.

postfix log ->/var/log/maillog
dovecot -> /var/log/imap
authentication -> /var/log/secure

Thanks a lot Stephane… I just updated the fail2ban…Will monitor and report back…
Really appreciate the help…

Awesome Stephane… Thank you for the hard work… !

I have some Good News to report !
The " pam_generic "Jail is working now, BANNING the repeating offensive IP’s …

The postfix and dovecot jails are ready for the offending IP’s… usually comes in the late night or early wee-hours… so here it waits to bust them !

For the pam_generic jail - I now get a Email Report as EXAMPLE below:

Hi,

The IP 43.231.209.0 has just been banned by Fail2Ban after
6 attempts against pam-generic.

Here is more information about 43.231.209.0 :

[ JPNIC database provides information regarding IP address and ASN. Its use ]
[ is restricted to network administration purposes. For further information, ]
[ use ‘whois -h whois.nic.ad.jp help’. To only display English output, ]
[ add ‘/e’ at the end of command, e.g. ‘whois -h whois.nic.ad.jp xxx/e’. ]

No match!!

Reference: WHOIS servers of RIRs
APNIC WHOIS(whois.apnic.net)
ARIN WHOIS(whois.arin.net)
RIPE WHOIS(whois.ripe.net)
LACNIC WHOIS(whois.lacnic.net)
AfriNIC WHOIS(whois.afrinic.net)

Regards,

Fail2Ban

******************Status of fail2ban-listban **********************
Status of Jails

apache-auth Jail enabled
- Currently banned: 0 - Total banned: 0
- Banned IP:
apache-badbots Jail enabled
- Currently banned: 0 - Total banned: 0
- Banned IP:
apache-fakegooglebot Jail enabled
- Currently banned: 0 - Total banned: 0
- Banned IP:
apache-modsecurity Jail enabled
- Currently banned: 0 - Total banned: 0
- Banned IP:
apache-nohome Jail enabled
- Currently banned: 0 - Total banned: 0
- Banned IP:
apache-noscript Jail enabled
- Currently banned: 0 - Total banned: 0
- Banned IP:
apache-overflows Jail enabled
- Currently banned: 0 - Total banned: 0
- Banned IP:
apache-scan Jail enabled
- Currently banned: 0 - Total banned: 0
- Banned IP:
apache-shellshock Jail enabled
- Currently banned: 0 - Total banned: 0
- Banned IP:
dovecot Jail enabled
- Currently banned: 0 - Total banned: 0
- Banned IP:
httpd-admin Jail enabled
- Currently banned: 0 - Total banned: 0
- Banned IP:
mysqld-auth Jail enabled
- Currently banned: 0 - Total banned: 0
- Banned IP:
pam-generic Jail enabled
- Currently banned: 12 - Total banned: 13
- Banned IP: 110.36.41.216 193.138.154.205 61.91.164.114 14.186.244.1 103.86.55.89 43.231.209.0 202.126.94.70 92.52.6.25 180.178.181.197 184.170.24.39 117.244.102.81 117.255.208.214
phpmyadmin Jail enabled
- Currently banned: 0 - Total banned: 0
- Banned IP:
postfix Jail enabled
- Currently banned: 0 - Total banned: 0
- Banned IP:
postfix-rbl Jail enabled
- Currently banned: 0 - Total banned: 0
- Banned IP:
recidive Jail enabled
- Currently banned: 0 - Total banned: 0
- Banned IP:
roundcube-auth Jail enabled
- Currently banned: 0 - Total banned: 0
- Banned IP:
sieve Jail enabled
- Currently banned: 0 - Total banned: 0
- Banned IP:
sshd Jail enabled
- Currently banned: 0 - Total banned: 0
- Banned IP:
sshd-ddos Jail enabled
- Currently banned: 0 - Total banned: 0
- Banned IP:

List of all banned IP:
Shorewall 5.0.14.1 Chain dynamic at xxx.xxdomain.com - Mon May 1 18:51:29 PDT 2017

Counters reset Mon May 1 15:40:43 PDT 2017

Chain dynamic (5 references)
pkts bytes target prot opt in out source destination
49 3346 DROP all – * * 110.36.41.216 0.0.0.0/0
27 2074 DROP all – * * 193.138.154.205 0.0.0.0/0
16 1266 DROP all – * * 61.91.164.114 0.0.0.0/0
20 1376 DROP all – * * 14.186.244.1 0.0.0.0/0
21 1596 DROP all – * * 103.86.55.89 0.0.0.0/0
18 1374 DROP all – * * 43.231.209.0 0.0.0.0/0
67 4440 DROP all – * * 202.126.94.70 0.0.0.0/0
26 1924 DROP all – * * 92.52.6.25 0.0.0.0/0
30 2518 DROP all – * * 180.178.181.197 0.0.0.0/0
33 2714 DROP all – * * 184.170.24.39 0.0.0.0/0
27 2274 DROP all – * * 117.244.102.81 0.0.0.0/0
8 464 DROP all – * * 117.255.208.214 0.0.0.0/0

Looking at the maillog file, these IP’s are actually trying to login to the postfix/smtpd…so the pam_generic jail is working , blocked the postfix/smtpd brute-force login attempts.

Hi Stephane
Awesome …it’s working… You’re the MAN !
Pls to Confirm that the postfix, dovecot and authentication jails are now working !

Thank you so much… your help Very Much Appreciated …
Cheers !

Hi Stephane
Update: Found one IP escapes from the postfix & pam_generic jail. This IP does not show in the secure log but can be found in the maillog. I’d send you the log file for review…

Thanks…meanwhile I’d keep monitoring…& see if any further re-occurance…

Thanks for the recent nethserver-fail2ban-0.1.12-1.ns7.sdl.noarch updates…
It’s looking good…