Hallo in die Runde,
mein System:
debian_version 7.5
fail2ban 0.8.6-3wheezy2
dovecot --version 2.1.7
fail2ban ist eingerichtet und funktioniert für ssh, sasl und postfix einwandfrei. Nur bei dovecot will das nicht so.
jail.conf:
[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,imap", protocol=tcp]
logpath = /var/log/mail.info
maxretry = 6
findtime = 1200
bantime = 36000
dovecot-pop3imap.conf
[Definition]
failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Disconnected \(no auth).*rip=(?P<host>\S*),.*
ignoreregex =
Ausgabe von fail2ban-regex /var/log/mail.info /etc/fail2ban/filter.d/dovecot-pop3imap.conf:
Running tests
=============
Use regex file : /etc/fail2ban/filter.d/dovecot-pop3imap.conf
Use log file : /var/log/mail.info
Results
=======
Failregex
|- Regular expressions:
| [1] (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Disconnected \(no auth).*rip=(?P<host>\S*),.*
|
`- Number of matches:
[1] 919 match(es)
Ignoreregex
|- Regular expressions:
|
`- Number of matches:
Summary
=======
Addresses found:
[1]
80.187.96.199 (Sun May 25 02:20:09 2014)
80.187.96.199 (Sun May 25 02:20:29 2014)
200.58.123.94 (Sun May 25 03:41:02 2014)
93.104.93.17 (Sun May 25 08:50:57 2014)
77.222.42.182 (Sun May 25 08:50:59 2014)
93.104.93.17 (Sun May 25 08:57:37 2014)
93.104.93.17 (Sun May 25 08:57:37 2014)
93.104.93.17 (Sun May 25 09:47:33 2014)
200.58.123.94 (Sun May 25 10:37:46 2014)
93.104.93.17 (Sun May 25 10:49:11 2014)
93.104.93.17 (Sun May 25 10:49:11 2014)
93.104.93.17 (Sun May 25 10:49:11 2014)
93.104.93.17 (Sun May 25 10:49:33 2014)
91.52.50.204 (Sun May 25 10:54:06 2014)
109.43.0.227 (Sun May 25 10:58:46 2014)
109.43.0.227 (Sun May 25 10:58:46 2014)
109.43.0.227 (Sun May 25 10:58:46 2014)
109.43.0.227 (Sun May 25 10:58:46 2014)
109.43.0.227 (Sun May 25 10:58:54 2014)
109.43.0.227 (Sun May 25 10:58:54 2014)
109.43.0.227 (Sun May 25 10:58:54 2014)
109.43.0.227 (Sun May 25 10:58:54 2014)
109.43.2.163 (Sun May 25 11:40:10 2014)
109.43.2.163 (Sun May 25 11:40:10 2014)
[...]
Auszug aus /var/log/mail.info
May 30 09:44:00 server dovecot: imap-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<lizdy>, method=PLAIN, rip=46.29.255.128, lip=x, session=<3atqNJn67gAuHf+A>
May 30 09:44:03 server dovecot: imap-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<pwrchute>, method=PLAIN, rip=46.29.255.128, lip=x, session=<cdKZNJn6rwAuHf+A>
May 30 09:44:03 server dovecot: imap-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<backup>, method=PLAIN, rip=46.29.255.128, lip=x, session=<ooycNJn6xQAuHf+A>
May 30 09:44:04 server dovecot: imap-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<server>, method=PLAIN, rip=46.29.255.128, lip=x, session=<O52tNJn6ZwAuHf+A>
May 30 09:44:06 server dovecot: imap-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<access>, method=PLAIN, rip=46.29.255.128, lip=x, session=<PlTQNJn61gAuHf+A>
May 30 09:44:07 server dovecot: imap-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<data>, method=PLAIN, rip=46.29.255.128, lip=x, session=<YSfdNJn6fAAuHf+A>
May 30 09:44:08 server dovecot: imap-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<account>, method=PLAIN, rip=46.29.255.128, lip=x, session=<IGDqNJn6DwAuHf+A>
May 30 09:44:10 server dovecot: imap-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<lizdy>, method=PLAIN, rip=46.29.255.128, lip=x, session=<CZwINZn6ewAuHf+A>
May 30 09:44:13 server dovecot: imap-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<pwrchute>, method=PLAIN, rip=46.29.255.128, lip=x, session=<xNA3NZn6/QAuHf+A>
May 30 09:44:14 server dovecot: imap-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<server>, method=PLAIN, rip=46.29.255.128, lip=x, session=</kBMNZn6YQAuHf+A>
May 30 09:44:17 server dovecot: imap-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<access>, method=PLAIN, rip=46.29.255.128, lip=x, session=<XY1uNZn69AAuHf+A>
May 30 09:44:18 server dovecot: imap-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<account>, method=PLAIN, rip=46.29.255.128, lip=x, session=<HGmINZn68QAuHf+A>
May 30 09:44:18 server dovecot: imap-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<data>, method=PLAIN, rip=46.29.255.128, lip=x, session=<5Tt7NZn6DwAuHf+A>
May 30 09:44:24 server dovecot: imap-login: Disconnected (auth failed, 1 attempts in 18 secs): user=<pwrchute>, method=PLAIN, rip=46.29.255.128, lip=x, session=<e+7VNZn61QAuHf+A>
May 30 09:44:27 server dovecot: imap-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<access>, method=PLAIN, rip=46.29.255.128, lip=x, session=<cokMNpn60wAuHf+A>
May 30 09:44:34 server dovecot: imap-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<pwrchute>, method=PLAIN, rip=46.29.255.128, lip=x, session=<aCt0Npn6RQAuHf+A>
Irgendeine Idee dazu?
Danke+Gruß,
ll
fail2ban +dovecot
Re: fail2ban +dovecot
Hi,
ich denke in deiner config fehlt ports =
Versuch das mal bitte.
ich denke in deiner config fehlt ports =
Code: Alles auswählen
[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
ports = 143,993
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,imap", protocol=tcp]
logpath = /var/log/mail.info
maxretry = 6
findtime = 1200
bantime = 36000mfg rAdiuM
Was hat Windows und ein Uboot gemeinsam? Macht man ein Fenster auf, fangen die Probleme an!
Was hat Windows und ein Uboot gemeinsam? Macht man ein Fenster auf, fangen die Probleme an!
Re: fail2ban +dovecot
(müßte eigentlich 'port=...'?)radium hat geschrieben: ports = 143,993
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,imap", protocol=tcp]
Da hier ja action= vorgegeben wird, somit nicht die default-action mit den Platzhaltern gilt,
sollte es eher
Code: Alles auswählen
...
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,imap,pop3s,imaps", protocol=tcp]
...Es gibt doch schon ein Template [dovecot] und dovecot.conf(?)
mfg rendegast
-----------------------
Viel Eifer, viel Irrtum; weniger Eifer, weniger Irrtum; kein Eifer, kein Irrtum.
(Lin Yutang "Moment in Peking")
-----------------------
Viel Eifer, viel Irrtum; weniger Eifer, weniger Irrtum; kein Eifer, kein Irrtum.
(Lin Yutang "Moment in Peking")
-
linuslinux
- Beiträge: 5
- Registriert: 01.06.2014 07:40:57
Re: fail2ban +dovecot
Hallo radium,
getestet mit ports und mit port - selbes Ergebnis.
Gruß, LL
getestet mit ports und mit port - selbes Ergebnis.
Code: Alles auswählen
fail2ban-regex /var/log/mail.info /etc/fail2ban/filter.d/dovecot-pop3imap.conf
Running tests
=============
Use regex file : /etc/fail2ban/filter.d/dovecot-pop3imap.conf
Use log file : /var/log/mail.info
Results
=======
Failregex
|- Regular expressions:
| [1] (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Disconnected \(no auth).*rip=(?P<host>\S*),.*
|
`- Number of matches:
[1] 27 match(es)
[...]
-
linuslinux
- Beiträge: 5
- Registriert: 01.06.2014 07:40:57
Re: fail2ban +dovecot
Hallo rendegast,
Gruß, LL
eingetragen, mal sehen ob das was hilft.Fehlt noch ...,chain=INPUT] ?
Ja, habe ich durch das oben ersetzt weil es auch nichts gebracht hat.Es gibt doch schon ein Template [dovecot] und dovecot.conf(?)
Gruß, LL