1 Topic by ag (edited by ag 2013-06-03 16:36:02)

  • ag
  • Member
  • Offline
  • Registered: 2012-12-10
  • Posts: 52

Topic: Fail2ban and iredmail

======== Required information ====
- iRedMail version: 0.8.3
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Linux/BSD distribution name and version: Debian 6
- Related log if you're reporting an issue:
====

Hello,
I've started to have problem (when I restarted fail2ban) with fail2ban logs but it looks like fail2ban is working.


For exmaple the:

devcot.iredmail.conf

[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tr$
ignoreregex =

dovecot.log

Jun 03 10:13:57 pop3-login: Info: Disconnected (auth failed, 1 attempts): user=<mail@domain.com>, method=PLAIN, rip=USER_IP_ADDRESS, lip=SERVER_IP_ADDRESS, TLS: Disconnected

jail.local

[dovecot-iredmail]
enabled     = true
filter      = dovecot.iredmail
action      = iptables-multiport[name=dovecot, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", prot$
logpath     = /var/log/dovecot.log
maxretry    = 3
findtime    = 300
bantime     = 3600
ignoreip    = 127.0.0.1 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16

but when i do this:

fail2ban-regex /var/log/dovecot.log etc/fail2ban/filter.d/dovecot.iredmail.conf

i get:

Results
=======

Failregex
|- Regular expressions:
|  [1] etc/fail2ban/filter.d/dovecot.iredmail.conf
|
`- Number of matches:
   [1] 0 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

and in fail2ban.log i get

2013-06-03 10:01:21,869 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2013-06-03 10:01:21,870 fail2ban.filter : DEBUG  /var/log/mail.log has been modified
2013-06-03 10:01:21,870 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2013-06-03 10:01:24,183 fail2ban.filter : DEBUG  /var/log/dovecot.log has been modified
2013-06-03 10:01:24,183 fail2ban.filter : DEBUG  Found USER_IP_ADDRESS
2013-06-03 10:01:24,183 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2013-06-03 10:01:24,637 fail2ban.actions: WARNING [dovecot-iredmail] Ban USER_IP_ADDRESS
2013-06-03 10:01:24,637 fail2ban.actions.action: DEBUG  iptables -n -L INPUT | grep -q fail2ban-dovecot
2013-06-03 10:01:24,640 fail2ban.actions.action: DEBUG  iptables -n -L INPUT | grep -q fail2ban-dovecot returned successfully
2013-06-03 10:01:24,640 fail2ban.actions.action: DEBUG  iptables -I fail2ban-dovecot 1 -s USER_IP_ADDRESS -j DROP
2013-06-03 10:01:24,642 fail2ban.actions.action: DEBUG  iptables -I fail2ban-dovecot 1 -s USER_IP_ADDRESS -j DROP returned successfully

And when i check USER_IP_ADDRESS is banned but in log files I have mess and I need to straight things out.

In fail2ban.log in loop i have:

2013-06-03 10:01:49,211 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2013-06-03 10:02:21,245 fail2ban.filter : DEBUG  /var/log/dovecot.log has been modified

and 

2013-06-03 10:01:20,868 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2013-06-03 10:01:21,868 fail2ban.filter : DEBUG  /var/log/mail.log has been modified

If you could help me straight things out with dovecot I think I can handle by myself proftpd, ssh, etc.

Best regards,
ag

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,090

Re: Fail2ban and iredmail

*) Restarting fail2ban service will re-create/initial iptables chains.
*) Please check Fail2ban's regular express with your log entries.

I tried the log entry you pasted with default iRedMail fail2ban filter, it works for me:

# cat /tmp/log.txt
Jun 03 10:13:57 pop3-login: Info: Disconnected (auth failed, 1 attempts): user=<mail@domain.com>, method=PLAIN, rip=99.99.99.99, lip=99.99.99.99, TLS: Disconnected

# fail2ban-regex /tmp/log.txt /etc/fail2ban/filter.d/dovecot.iredmail.conf
...
Results
=======

Failregex
|- Regular expressions:
|  [1] (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
|
`- Number of matches:
   [1] 1 match(es)
...
Success, the total number of match is 1
...

3 Reply by ag (edited by ag 2013-06-08 16:22:39)

  • ag
  • Member
  • Offline
  • Registered: 2012-12-10
  • Posts: 52

Re: Fail2ban and iredmail

When I did this test i get:

root@xxx:~# fail2ban-regex /tmp/log.txt /etc/fail2ban/filter.d/dovecot.iredma                                                                                                                                                             il.conf
/usr/share/fail2ban/server/filter.py:442: DeprecationWarning: the md5 module is                                                                                                                                                              deprecated; use hashlib instead
  import md5

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/dovecot.iredmail.conf
Use log file   : /tmp/log.txt


Results
=======

Failregex
|- Regular expressions:
|  [1] (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(a                                                                                                                                                             uth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*ri                                                                                                                                                             p=(?P<host>\S*),.*
|
`- Number of matches:
   [1] 1 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Addresses found:
[1]
    99.99.99.99 (Mon Jun 03 10:13:57 2013)

Date template hits:
2 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s): <Month/Day/Year@Hour:Minute:Second>

Success, the total number of match is 1

However, look at the above section 'Running tests' which could contain important
information.

But in the fail2ban.log nothing changed, below couple of last lines:

...
2013-06-03 10:33:28,929 fail2ban.actions: DEBUG  proftpd: action terminated
2013-06-03 10:33:28,929 fail2ban.jail   : INFO   Jail 'proftpd' stopped
2013-06-03 10:33:28,929 fail2ban.server : DEBUG  Removed socket file /var/run/fail2ban/fail2ban.sock
2013-06-03 10:33:28,929 fail2ban.server : DEBUG  Socket shutdown
2013-06-03 10:33:28,930 fail2ban.server : DEBUG  Remove PID file /var/run/fail2ban/fail2ban.pid
2013-06-03 10:33:28,930 fail2ban.server : INFO   Exiting Fail2ban

I should have ban entry for 99.99.99.99 in fail2ban.log, right?

Where can i check what kind of conf file fail2ban use? dovecot.conf or dovecot.iredmail.conf?

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,090

Re: Fail2ban and iredmail

Fail2ban config files are placed under /etc/fail2ban/ by default, it defines which filter/action file it will use.