Another fail2ban issue I could use some help with

I have fail2ban installed. I have the dovecot jail (out of the box) working BUT…
Almost every day I’m getting the following in my Logwatch

-------------------- pam_unix Begin ------------------------

dovecot:
Authentication Failures:
jboyd: 13 Time(s)
kboyd: 3 Time(s)
jfverster: 2 Time(s)
tharrier: 2 Time(s)
kbayd: 1 Time(s)
Invalid Users:
Unknown Account: 3 Time(s)
and the dovecot jail is not stopping this.

My jail in jail.local is:

[dovecot]
enabled = true
action = iptables-multiport[port=“http,https,smtp,smtps,pop3,pop3s,imap,imaps”, protocol=tcp]
logpath = /var/log/maillog
findtime = 86400
maxretry = 2
bantime = 86400
destemail = root@localhost
It seems to catch a few and let others go by. I’m using postfix and dovecot.

Can anyone come up with a better solution to stop these would-be hackers?

Use the recidive filter against the fail2ban log file. This will trap any IPs that attempt to bypass the Dovecot ban filter by repeated attempts.

Another option is to firewall off the Dovecot ports to only allow specific IPs to access.

[recidive]
enabled = true
filter = recidive
logpath = /var/log/fail2ban.log
# findtime: 1 day
findtime = 86400
bantime = 604800
maxretry = 1
#

(1039 / 41) [/etc/fail2ban]$: fail2ban-client status recidive
Status for the jail: recidive
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- Journal matches:  _SYSTEMD_UNIT=fail2ban.service PRIORITY=5
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

This isn’t the same offender multiple times they are all different, What confuses me is this. I trap a bunch of dovecot in my jail

dovecot:                                                [  2:78 ]
   67.53.250.58 (router.rohmtech.com)                      1:6  
   41.188.44.150 (tgn.188.44.150.dts.mg)                   0:6  
   45.81.232.17 (cweb04.gamingcontrol.de)                  0:6  
   93.47.218.66 (93-47-218-66.ip114.fastwebnet.it)         0:6  
   115.135.28.19                                           0:6  
   129.222.252.182 (customer.atlagax1.pop.starlinkisp.net)   0:6  
   174.138.7.65                                            0:6  
   178.176.175.128                                         0:6  
   180.248.2.210                                           0:6  
   180.251.148.242                                         0:6  
   188.43.200.253 (ahito-gw.transtelecom.net)              0:6  
   188.162.199.47                                          0:6  
   194.169.175.18                                          0:6  
   103.142.179.28                                          1:0  

But these are not all of them, there’s a pile that DON’T get trapped that’s where the figures are coming from in the earlier post. So I don’t think the recidive would make any difference

Probably a bad REGEX. Use fail2ban-regex to test your Dovecot and the recidive filters against your log files. Use --print-all-missed to see all missed IPs. Review your fail2ban log and firewall for any issues with banning these offenders. Also, set up a test account to trigger the filter(s) for testing.

I’m sorry, I’m a beginner. Can you explain how to use fail2ban-regex. These .conf files are so complicated, I don’t know where to start. And how do I test for --print-all-missed?

I’m ex-Novell engineer, but that was a lifetime ago, I’m almost 84, so gimme a break!

The man page for fail2ban-regex shows the syntax and options.

Example

fail2ban-regex options logfile filter

Be sure to use full paths for any filenames.

Fail2ban requires good debugging skills. One needs to be able to trace how fail2ban’s filters parse the appropriate log file(s) for matches or missed entries, when it bans or unban an IP address, and how it updates your firewall rules in real time. It comes with working through the configuration issues and possible quirks with fail2ban. Here are some commands to help.

List all options and command syntax for fail2ban-client
fail2ban-client -h

test fail2ban configuration for error(s) (NOTE: only syntax)
fail2ban-client -t 

Lists all active fail2ban jails and their status.
fail2ban-client status 

Lists all IP addresses banned.
fail2ban-client banned 

Show the status of a specific fail2ban jail
fail2ban-client status <JAIL>

	example: fail2ban-client status sshd 

List status of ALL active Jails
fail2ban-client status | sed -n 's/,//g;s/.*Jail list://p' | xargs -n1 fail2ban-client status

List all options and command syntax for fail2ban-regex
fail2ban-regex -h 

Test filter against systemd-journal

Example: fail2ban-regex -vv systemd-journal /etc/fail2ban/filter.d/dovecot.conf | less

test filter against existing log file

Example: fail2ban-regex -vv /var/log/httpd/error_log /etc/fail2ban/filter.d/apache-auth.conf | less

Yes, thanks for the help. I did manage to find the error and get it to work.

The only problem now, is how to get it to mail me when a jail is activated. Most of them are fime but ehere there is already an

action = iptables-multiport[…

then an additional

action = %(action_mw)s

throws an error and there seems to be no way to have both actions in the same jail. I’ve seen a lot of suggestons on websites. but none of them so far have worked.

Getting email alerts for fail2ban is only in the [DEFAULT] section of jail.local. I don’t want the WHOIS report or any other listings.

action = %(action_)s