Difference between revisions of "Talk:Dovecot"

From Fail2ban
Jump to navigationJump to search
(New page: If you want to catch this:<br> Aug 29 19:45:13 MyHostName dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=123.123.123.123 <br> ...)
 
m (Add note about maillog on cPanel servers)
 
(6 intermediate revisions by 5 users not shown)
Line 4: Line 4:
 
Here is the regex:<br>
 
Here is the regex:<br>
 
dovecot.*authentication failure.*rhost\=<host><br>
 
dovecot.*authentication failure.*rhost\=<host><br>
 +
<br >
 +
To catch lines like:<br>
 +
dovecot: pop3-login: Aborted login (1 authentication attempts): user=<usrnm>, method=PLAIN, rip=192.168.2.4, lip=192.168.2.5<br>
 +
the regexp is:<br>
 +
dovecot.*pop3-login.*Aborted login.*rip=<HOST>.*<br>
 +
<br>
 +
<br> CentOS 5.2 and Dovecot: <br>
 +
 +
Create file /etc/fail2ban/filter.d/dovecot.conf
 +
<br>failregex = pam.*dovecot.*(?:authentication failure).*rhost=(?:::f{4,6}:)?(?P<host>\S*)
 +
 +
 +
Add to file /etc/fail2ban/filter.d/jail.conf
 +
<br>[dovecot]
 +
<br>enabled  = true
 +
<br>filter  = dovecot
 +
<br>action  = iptables-multiport[name=Dovecot, port="110,995,143,993", protocol=tcp]
 +
<br>sendmail-whois[name=Dovecot, dest=your_email@your_domain.com, sender=fail2ban@mail.com]
 +
<br>logpath  = /var/log/secure
 +
<br>maxretry = 3
 +
 +
Note: For cPanel based servers the logpath is /var/log/maillog
 +
<br><br>
 +
You can test your config while editing the filter file (in CentOS 5.2):<br>
 +
 +
/usr/bin/fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/dovecot.conf
 +
<br><br>
 +
 +
Don't depend on old breech attempts...create and test fresh ones yourself with jail.conf 'bantime' set to 60 seconds:
 +
<br>bantime  = 60<br><br>
 +
 +
<hr>
 +
 +
Suggested regexp to catch failed sql-logins:
 +
 +
<pre>
 +
failregex = dovecot.*auth-worker\(default\): sql\(.*,<HOST>\): Password mismatch
 +
</pre>
 +
 +
 +
On Fedora Core 10, what actually seems to work is
 +
        failregex = dovecot.*authentication failure.*rhost\=<HOST>
 +
Note uppercase, rather than the first suggestion above.  Action needs to be iptables; using hosts.deny will have no effect.
 +
 +
== Debian squeeze (v0.8.4) with dovecot 1.2 with ignore regexp for broken connections ==
 +
 +
On my new server I've got
 +
<pre>
 +
[Definition]
 +
failregex = (?: pop3-login|imap-login): .*(?:Disconnected|Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
 +
ignoreregex = imap-login: Disconnected.*\(no auth attempts\).*
 +
</pre>
 +
catches
 +
<pre>
 +
Jun 25 11:44:06 xyz dovecot: imap-login: Aborted login (auth failed, 1 attempts): user=<xyz>, method=PLAIN, rip=x.y.26.246, lip=x.y.20.196, TLS
 +
</pre>
 +
but ignores successfully
 +
<pre>
 +
Jun 25 16:41:43 xyz dovecot: imap-login: Disconnected (no auth attempts): rip=x.y.26.246, lip=x.y.20.196, TLS handshaking: Disconnected
 +
</pre>
 +
and
 +
<pre>
 +
Jun 25 16:42:12 xyz dovecot: imap-login: Disconnected: Inactivity (no auth attempts): rip=x.y.26.246, lip=x.y.20.196, TLS
 +
</pre>
 +
 +
I need the ignore lines because I use IMAP from a smartphone. Had to unban me today ;).

Latest revision as of 06:13, 29 January 2012

If you want to catch this:
Aug 29 19:45:13 MyHostName dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=123.123.123.123

Here is the regex:
dovecot.*authentication failure.*rhost\=<host>

To catch lines like:
dovecot: pop3-login: Aborted login (1 authentication attempts): user=<usrnm>, method=PLAIN, rip=192.168.2.4, lip=192.168.2.5
the regexp is:
dovecot.*pop3-login.*Aborted login.*rip=<HOST>.*


CentOS 5.2 and Dovecot:

Create file /etc/fail2ban/filter.d/dovecot.conf
failregex = pam.*dovecot.*(?:authentication failure).*rhost=(?:::f{4,6}:)?(?P<host>\S*)


Add to file /etc/fail2ban/filter.d/jail.conf
[dovecot]
enabled = true
filter = dovecot
action = iptables-multiport[name=Dovecot, port="110,995,143,993", protocol=tcp]
sendmail-whois[name=Dovecot, dest=your_email@your_domain.com, sender=fail2ban@mail.com]
logpath = /var/log/secure
maxretry = 3

Note: For cPanel based servers the logpath is /var/log/maillog

You can test your config while editing the filter file (in CentOS 5.2):

/usr/bin/fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/dovecot.conf

Don't depend on old breech attempts...create and test fresh ones yourself with jail.conf 'bantime' set to 60 seconds:
bantime = 60

Suggested regexp to catch failed sql-logins: 

failregex = dovecot.*auth-worker\(default\): sql\(.*,<HOST>\): Password mismatch


On Fedora Core 10, what actually seems to work is 

       failregex = dovecot.*authentication failure.*rhost\=<HOST>

Note uppercase, rather than the first suggestion above. Action needs to be iptables; using hosts.deny will have no effect.

Debian squeeze (v0.8.4) with dovecot 1.2 with ignore regexp for broken connections

On my new server I've got 

[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Disconnected|Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
ignoreregex = imap-login: Disconnected.*\(no auth attempts\).*

catches 

Jun 25 11:44:06 xyz dovecot: imap-login: Aborted login (auth failed, 1 attempts): user=<xyz>, method=PLAIN, rip=x.y.26.246, lip=x.y.20.196, TLS

but ignores successfully 

Jun 25 16:41:43 xyz dovecot: imap-login: Disconnected (no auth attempts): rip=x.y.26.246, lip=x.y.20.196, TLS handshaking: Disconnected

and 

Jun 25 16:42:12 xyz dovecot: imap-login: Disconnected: Inactivity (no auth attempts): rip=x.y.26.246, lip=x.y.20.196, TLS

I need the ignore lines because I use IMAP from a smartphone. Had to unban me today ;).

Retrieved from "http://wiki.fail2ban.org/wiki/index.php?title=Talk:Dovecot&oldid=4458"