Join Log in
Score:0
avatar Server

How to create failregex to block imap-logins fail2ban

cn flag
kusjev

Could someone help me with creating correct fail2ban filter. Bad ip addresses knocking port 993 /etc/fail2ban/filter.d/dovecot.conf doesn't catch such log

I found something like this, but i get errors with this

[Definition]

failregex = ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to $

The mail.log

Jan 28 11:35:10 mbm2-srv dovecot: imap-login: Disconnected (no auth attempts in 7 secs): user=<>, rip=117.50.110.5, lip=192.168.1.254, TLS, session=<4WmzJqHWpuJ1Mm4F>
Jan 28 11:35:11 mbm2-srv dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=117.50.110.5, lip=192.168.1.254, TLS handshaking: Connection closed, session=<8Bi9JqHWYIB1Mm4F>
Jan 28 11:35:12 mbm2-srv dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=117.50.110.5, lip=192.168.1.254, TLS handshaking: Connection closed, session=<9vHEJqHWmIF1Mm4F>
Jan 28 11:35:13 mbm2-srv dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=117.50.110.5, lip=192.168.1.254, TLS handshaking: read(size=676) failed: Connection reset by peer, session=<Ri3TJqHWtIJ1Mm4F>
Jan 28 11:35:13 mbm2-srv dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=117.50.110.5, lip=192.168.1.254, TLS handshaking: Connection closed, session=<RjDbJqHWdIR1Mm4F>
Jan 28 11:35:14 mbm2-srv dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=117.50.110.5, lip=192.168.1.254, TLS handshaking: Connection closed, session=<mHXjJqHWHIV1Mm4F>
Jan 28 11:35:14 mbm2-srv dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=117.50.110.5, lip=192.168.1.254, TLS handshaking: SSL_accept() failed: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol, session=<l6XnJqHW0IV1Mm4F>
Jan 28 11:35:15 mbm2-srv dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=117.50.110.5, lip=192.168.1.254, TLS handshaking: read(size=595) failed: Connection reset by peer, session=<ic/zJqHWhoZ1Mm4F>
Jan 28 11:35:15 mbm2-srv dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=117.50.110.5, lip=192.168.1.254, TLS handshaking: Connection closed, session=<aw78JqHWXId1Mm4F>
Jan 28 11:35:15 mbm2-srv dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=117.50.110.5, lip=192.168.1.254, TLS handshaking: SSL_accept() failed: error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher, session=<gTIAJ6HWMoh1Mm4F>
Jan 28 11:35:16 mbm2-srv dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=117.50.110.5, lip=192.168.1.254, TLS handshaking: SSL_accept() failed: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share, session=<l9UIJ6HW8Ih1Mm4F>

Thank you again

116
0 + 0
Score:1
sebres avatar Server
il flag
sebres

You don't need to write your own regex if you use some new fail2ban version where dovecot filter supports aggressive mode.
You can check it with:

fail2ban-regex /path/to/log-or-test-message dovecot[mode=aggressive]

if you see matches then it is working for you, so simply set this in your jail.local for jail dovecot:

[dovecot]
mode = aggressive
...
enabled = true

I found something like this, but i get errors with this

Your example seems to be incomplete (trimmed?), anyway it does not have <ADDR> or <HOST> as well as it may be basically written for another fail2ban version (you also didn't provide).

Anyway for v.0.10 or higher it could look like this, just it would work only together with prefregex specified few lines higher in same filter, as well as with other substitution variables specified there and may also depend on version of common filter include.

Or even something like this (must work with every version and doesn't need includes):

failregex = ^\s*(?:\S+\s+)?(?:(?:dovecot(?:-auth)?|auth)(?:\[\d+\])?:?\s+)?(?:kernel:\s?\[ *\d+\.\d+\]:?\s+)?(?:(?:dovecot: )?auth(?:-worker)?(?:\([^\)]+\))?: )?(?:pam_unix(?:\(dovecot:auth\))?: |(?:pop3|imap|managesieve|submission)-login: )?(?:Info: )?(?:conn \w+:auth(?:-worker)? \(uid=\w+\): auth(?:-worker)?<\d+>: )?(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)(?::(?: [^ \(]+)+)? \((?:no auth attempts|disconnected before auth was ready,|client didn't finish \S+ auth,)(?: (?:in|waited) \d+ secs)?\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
0 + 0
cn flag
kusjev
Thank you, glad to see your reply. I'll try that but looks like it's port scanning not real dos or brute forcing. And because the port 993 is open is see log like this quite much.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.