I made the change, but it did not have any affect. The double backslash is how Fail2ban shows it, the actual filter file only has a single backslash. I even switched to the original file code from the dovecot wiki, but that did not make a difference.
failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.* the what I had used was failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.* I'm at a loss as to the cause. Everything looks fine in the log, just no action 2015-12-13 08:05:43,592 fail2ban.server [24768]: INFO Changed logging target to /var/log/fail2ban for Fail2ban v0.9.3 2015-12-13 08:05:43,593 fail2ban.database [24768]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3' 2015-12-13 08:05:43,602 fail2ban.jail [24768]: INFO Creating new jail 'dovecot-pop3imap' 2015-12-13 08:05:43,892 fail2ban.jail [24768]: INFO Jail 'dovecot-pop3imap' uses pyinotify 2015-12-13 08:05:43,914 fail2ban.filter [24768]: INFO Set jail log file encoding to UTF-8 2015-12-13 08:05:43,915 fail2ban.jail [24768]: INFO Initiated 'pyinotify' backend 2015-12-13 08:05:43,932 fail2ban.filter [24768]: INFO Added logfile = /var/log/maillog 2015-12-13 08:05:43,941 fail2ban.filter [24768]: INFO Set maxRetry = 20 2015-12-13 08:05:43,942 fail2ban.filter [24768]: INFO Set jail log file encoding to UTF-8 2015-12-13 08:05:43,943 fail2ban.actions [24768]: INFO Set banTime = 172800 2015-12-13 08:05:43,944 fail2ban.filter [24768]: INFO Set findtime = 3600 2015-12-13 08:05:43,986 fail2ban.jail [24768]: INFO Jail 'dovecot-pop3imap' started 2015-12-13 08:05:44,182 fail2ban.filter [24768]: INFO [dovecot-pop3imap] Found ww.xx.yy.zz 2015-12-13 08:05:44,182 fail2ban.filter [24768]: INFO [dovecot-pop3imap] Found ww.xx.yy.zz 2015-12-13 08:05:44,182 fail2ban.filter [24768]: INFO [dovecot-pop3imap] Found ww.xx.yy.zz 2015-12-13 08:05:44,189 fail2ban.filter [24768]: INFO [dovecot-pop3imap] Found ww.xx.yy.zz 2015-12-13 08:05:44,189 fail2ban.filter [24768]: INFO [dovecot-pop3imap] Found ww.xx.yy.zz 2015-12-13 08:05:44,189 fail2ban.filter [24768]: INFO [dovecot-pop3imap] Found ww.xx.yy.zz 2015-12-13 08:11:16,275 fail2ban.filter [24768]: INFO [dovecot-pop3imap] Found ww.xx.yy.zz 2015-12-13 08:11:16,290 fail2ban.filter [24768]: INFO [dovecot-pop3imap] Found ww.xx.yy.zz 2015-12-13 08:11:16,291 fail2ban.filter [24768]: INFO [dovecot-pop3imap] Found ww.xx.yy.zz Brad -----Original Message----- From: Bill Shirley [mailto:[email protected]] Sent: Saturday, December 12, 2015 9:18 PM To: [email protected] Subject: Re: [Fail2ban-users] Fail2ban not executing action Have you tried using '<HOST>' instead of '(?P<host>\\S*)' which looks wrong due to the double backslash. You are getting hits but maybe it can't find the IP address. Bill On 12/12/2015 11:55 PM, Brad wrote: > The same ip hits about once every minute, failing and filling up my log... > That was the reason I tried Fail2ban... > > > -----Original Message----- > From: Bill Shirley [mailto:[email protected]] > Sent: Saturday, December 12, 2015 8:37 PM > To: [email protected] > Subject: Re: [Fail2ban-users] Fail2ban not executing action > > I don't see any errors in your configuration. Could it be you don't > have 20 hits within one hour for the same IP address? > > Bill > > On 12/12/2015 10:48 PM, Brad wrote: >> I have installed Fail2ban on Centos 6.7 and configured it to handled >> failed login attempts to dovecot. I tried to configure it based on > various different directions on the web, but no luck. >> >> It appears the filter is working correctly, but the action never >> seems to get executed >> >> fail2ban-client status dovecot-pop3imap >> >> ---------------------------------------------------------------- >> >> Status for the jail: dovecot-pop3imap >> >> |- Filter >> >> | |- Currently failed: 1 >> >> | |- Total failed: 9 >> >> | `- File list: /var/log/maillog >> >> `- Actions >> >> |- Currently banned: 0 >> >> |- Total banned: 0 >> >> `- Banned IP list: >> >> ================================================================ >> >> fail2ban-client -d >> >> ---------------------------------------------------------------- >> >> ['set', 'syslogsocket', 'auto'] >> >> ['set', 'loglevel', 'INFO'] >> >> ['set', 'logtarget', '/var/log/fail2ban'] >> >> ['set', 'dbfile', '/var/lib/fail2ban/fail2ban.sqlite3'] >> >> ['set', 'dbpurgeage', 86400] >> >> ['add', 'dovecot-pop3imap', 'auto'] >> >> ['set', 'dovecot-pop3imap', 'usedns', 'warn'] >> >> ['set', 'dovecot-pop3imap', 'addlogpath', '/var/log/maillog', 'head'] >> >> ['set', 'dovecot-pop3imap', 'maxretry', 20] >> >> ['set', 'dovecot-pop3imap', 'addignoreip', '127.0.0.1/8'] >> >> ['set', 'dovecot-pop3imap', 'logencoding', 'auto'] >> >> ['set', 'dovecot-pop3imap', 'bantime', 172800] >> >> ['set', 'dovecot-pop3imap', 'ignorecommand', ''] >> >> ['set', 'dovecot-pop3imap', 'findtime', 3600] >> >> ['set', 'dovecot-pop3imap', 'addfailregex', '(?: >> pop3-login|imap-login): .*(?:Authentication failure|Aborted login >> \\(auth >> failed|Aborted login \\(tried to use disabled|Disconnected \\(auth >> failed|failed|Aborted login \\(\\d+ authentication >> attempts).*rip=(?P<host>\\S*),.*'] >> >> ['set', 'dovecot-pop3imap', 'addaction', 'iptables-multiport'] >> >> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', >> 'actionban', '<iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>'] >> >> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', >> 'actionstop', '<iptables> -D <chain> -p <protocol> -m multiport >> --dports <port> -j f2b-<name>\n<iptables> -F f2b-<name>\n<iptables> >> -X f2b-<name>'] >> >> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', >> 'actionstart', '<iptables> -N f2b-<name>\n<iptables> -A f2b-<name> -j >> <returntype>\n<iptables> -I <chain> -p <protocol> -m multiport >> --dports <port> -j f2b-<name>'] >> >> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', >> 'actionunban', '<iptables> -D f2b-<name> -s <ip> -j <blocktype>'] >> >> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', >> 'actioncheck', "<iptables> -n -L <chain> | grep -q 'f2b-<name>[ >> \\t]'"] >> >> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', >> 'iptables', 'iptables <lockingopt>'] >> >> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', >> 'known/chain', 'INPUT'] >> >> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', >> 'known/lockingopt', ''] >> >> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', >> 'protocol', 'tcp'] >> >> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'name', >> 'dovecot-pop3imap'] >> >> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'chain', >> 'INPUT'] >> >> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', >> 'known/__name__', 'Init'] >> >> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', >> 'known/protocol', 'tcp'] >> >> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', >> 'known/port', 'ssh'] >> >> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', >> 'known/returntype', 'RETURN'] >> >> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', >> 'known/iptables', 'iptables <lockingopt>'] >> >> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', >> 'lockingopt', ''] >> >> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', >> 'known/name', 'default'] >> >> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', >> 'known/blocktype', 'REJECT --reject-with icmp-port-unreachable'] >> >> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', >> 'returntype', 'RETURN'] >> >> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', >> 'blocktype', 'REJECT --reject-with icmp-port-unreachable'] >> >> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'port', >> 'pop3,pop3s,imap,imaps'] >> >> ['set', 'dovecot-pop3imap', 'addaction', 'sendmail-whois'] >> >> ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'actionban', >> 'printf %b "Subject: [Fail2Ban] <name>: banned <ip> from `uname >> -n`\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: <sendername> >> <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe IP <ip> has just been banned >> by Fail2Ban after\n<failures> attempts against <name>.\\n\\n\nHere is >> more information about <ip> :\\n\n`/usr/bin/whois <ip> || echo >> missing whois program`\\n\nRegards,\\n\nFail2Ban" | >> /usr/sbin/sendmail -f <sender> <dest>'] >> >> ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'actionstop', >> 'printf %b "Subject: [Fail2Ban] <name>: stopped on `uname >> -n`\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: <sendername> >> <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe jail <name> has been >> stopped.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> >> <dest>'] >> >> ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', >> 'actionstart', 'printf %b "Subject: [Fail2Ban] <name>: started on >> `uname >> -n`\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: <sendername> >> <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe jail <name> has been started >> successfully.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f >> <sender> <dest>'] >> >> ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', >> 'actionunban', ''] >> >> ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', >> 'actioncheck', ''] >> >> ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'name', >> 'dovecot-pop3imap'] >> >> ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', >> 'known/sender', 'fail2ban'] >> >> ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'dest', >> '[email protected]'] >> >> ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', >> 'known/__name__', 'Init'] >> >> ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', >> 'known/sendername', 'Fail2Ban'] >> >> ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'known/dest', >> 'root'] >> >> ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'sendername', >> 'Fail2Ban'] >> >> ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'sender', >> 'fail2ban'] >> >> ['start', 'dovecot-pop3imap'] >> >> ================================================================ >> >> Relevant part of jail.local >> >> ---------------------------------------------------------------- >> >> [dovecot-pop3imap] >> >> enabled = true >> >> filter = dovecot-pop3imap >> >> port = pop3,pop3s,imap,imaps >> >> action = iptables-multiport[name=dovecot-pop3imap, >> port="pop3,pop3s,imap,imaps", protocol=tcp] >> >> sendmail-whois[name=dovecot-pop3imap, >> [email protected]] >> >> logpath = /var/log/maillog >> >> maxretry = 20 >> >> findtime = 3600 >> >> bantime = 172800 >> >> ================================================================ >> >> fail2ban-regex /var/log/maillog >> /etc/fail2ban/filter.d/dovecot-pop3imap.conf >> >> ---------------------------------------------------------------- >> >> Running tests >> >> ============= >> >> Use failregex filter file : dovecot-pop3imap, basedir: /etc/fail2ban >> >> Use log file : /var/log/maillog >> >> Use encoding : UTF-8 >> >> Results >> >> ======= >> >> Failregex: 927 total >> >> |- #) [# of hits] regular expression >> >> | 1) [927] (?: pop3-login|imap-login): .*(?:Authentication >> | failure|Aborted login \(auth failed|Aborted login \(tried to use >> disabled|Disconnected \(auth failed|Aborted login \(\d+ >> disabled|authentication >> disabled|attempts).*rip=(?P<host>\S*),.* >> >> `- >> >> Ignoreregex: 0 total >> >> Date template hits: >> >> |- [# of hits] date format >> >> | [28894] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: > Year)? >> >> `- >> >> Lines: 28894 lines, 0 ignored, 927 matched, 27967 missed [processed >> in >> 3.86 sec] >> >> Missed line(s): too many to print. Use --print-all-missed to print >> all 27967 lines >> >> ================================================================ >> >> No errors appear in the fail2ban log, even on Debug level of logging. >> >> Email seems to work fine for the shutdown and startup of Fail2ban >> >> Any ideas on why this may be happening? >> >> Did I overlook something or is there a typo in my work? >> >> Fail2ban version v0.9.3 >> >> CentOS release 6.7 (Final) >> >> Thanks!! >> >> >> >> --------------------------------------------------------------------- >> - >> -------- >> >> >> >> _______________________________________________ >> Fail2ban-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users >> > > ---------------------------------------------------------------------- > ------ > -- > _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > ---------------------------------------------------------------------- > -------- _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > ---------------------------------------------------------------------------- -- _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users ------------------------------------------------------------------------------ _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
