I have fail2ban installed. I have the dovecot jail (out of the box) working BUT…
Almost every day I’m getting the following in my Logwatch
-------------------- pam_unix Begin ------------------------
dovecot:
Authentication Failures:
jboyd: 13 Time(s)
kboyd: 3 Time(s)
jfverster: 2 Time(s)
tharrier: 2 Time(s)
kbayd: 1 Time(s)
Invalid Users:
Unknown Account: 3 Time(s)
and the dovecot jail is not stopping this.
My jail in jail.local is:
[dovecot]
enabled = true
action = iptables-multiport[port=“http,https,smtp,smtps,pop3,pop3s,imap,imaps”, protocol=tcp]
logpath = /var/log/maillog
findtime = 86400
maxretry = 2
bantime = 86400
destemail = root@localhost
It seems to catch a few and let others go by. I’m using postfix and dovecot.
Can anyone come up with a better solution to stop these would-be hackers?
(1039 / 41) [/etc/fail2ban]$: fail2ban-client status recidive
Status for the jail: recidive
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- Journal matches: _SYSTEMD_UNIT=fail2ban.service PRIORITY=5
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
But these are not all of them, there’s a pile that DON’T get trapped that’s where the figures are coming from in the earlier post. So I don’t think the recidive would make any difference
Probably a bad REGEX. Use fail2ban-regex to test your Dovecot and the recidive filters against your log files. Use --print-all-missed to see all missed IPs. Review your fail2ban log and firewall for any issues with banning these offenders. Also, set up a test account to trigger the filter(s) for testing.
I’m sorry, I’m a beginner. Can you explain how to use fail2ban-regex. These .conf files are so complicated, I don’t know where to start. And how do I test for --print-all-missed?
I’m ex-Novell engineer, but that was a lifetime ago, I’m almost 84, so gimme a break!
Fail2ban requires good debugging skills. One needs to be able to trace how fail2ban’s filters parse the appropriate log file(s) for matches or missed entries, when it bans or unban an IP address, and how it updates your firewall rules in real time. It comes with working through the configuration issues and possible quirks with fail2ban. Here are some commands to help.
List all options and command syntax for fail2ban-client
fail2ban-client -h
test fail2ban configuration for error(s) (NOTE: only syntax)
fail2ban-client -t
Lists all active fail2ban jails and their status.
fail2ban-client status
Lists all IP addresses banned.
fail2ban-client banned
Show the status of a specific fail2ban jail
fail2ban-client status <JAIL>
example: fail2ban-client status sshd
List status of ALL active Jails
fail2ban-client status | sed -n 's/,//g;s/.*Jail list://p' | xargs -n1 fail2ban-client status
List all options and command syntax for fail2ban-regex
fail2ban-regex -h
Test filter against systemd-journal
Example: fail2ban-regex -vv systemd-journal /etc/fail2ban/filter.d/dovecot.conf | less
test filter against existing log file
Example: fail2ban-regex -vv /var/log/httpd/error_log /etc/fail2ban/filter.d/apache-auth.conf | less
Yes, thanks for the help. I did manage to find the error and get it to work.
The only problem now, is how to get it to mail me when a jail is activated. Most of them are fime but ehere there is already an
action = iptables-multiport[…
then an additional
action = %(action_mw)s
throws an error and there seems to be no way to have both actions in the same jail. I’ve seen a lot of suggestons on websites. but none of them so far have worked.