Re: [Dovecot] Fail2ban and logging
Hello Mark (and others), On 16-07-13 05:00, Mark Sapiro wrote: > On 07/15/2013 09:09 AM, Paul van der Vlis wrote: >> >> Are you blocked when you login a few times with a wrong password? >> >> I expect your log will say something like "auth failed, 22 attempts in >> 30 secs", and fail2ban will see that as 1 authentications error, so will >> not block you. > > > I am blocked. The log says > > Jul 15 19:36:06 sbh16 dovecot: pop3-login: Aborted login (auth failed, 1 > attempts in 2 secs): user=, method=APOP, rip=98.248.186.228, > lip=72.52.113.16, TLS, session= > > Jul 15 19:36:16 sbh16 dovecot: pop3-login: Aborted login (auth failed, 1 > attempts in 6 secs): user=, method=APOP, rip=98.248.186.228, > lip=72.52.113.16, TLS, session= > > Jul 15 19:36:29 sbh16 dovecot: pop3-login: Aborted login (auth failed, 1 > attempts in 10 secs): user=, method=APOP, rip=98.248.186.228, > lip=72.52.113.16, TLS, session= > > Jul 15 19:36:49 sbh16 dovecot: pop3-login: Aborted login (auth failed, 1 > attempts in 17 secs): user=, method=APOP, rip=98.248.186.228, > lip=72.52.113.16, TLS, session= > > Jul 15 19:37:09 sbh16 dovecot: pop3-login: Aborted login (auth failed, 1 > attempts in 17 secs): user=, method=APOP, rip=98.248.186.228, > lip=72.52.113.16, TLS, session= > > > The difference may be that I am connecting to pop3s, port 995 with SSL, > not port 110 with STARTTLS. What wonders me is that every attempt is logged. With me the attemps are counted together. I think it's not very important which port or protocol is used. With regards, Paul van der Vlis. -- Paul van der Vlis Linux systeembeheer, Groningen http://www.vandervlis.nl/
Re: [Dovecot] Fail2ban and logging
On 07/15/2013 09:09 AM, Paul van der Vlis wrote: > > Are you blocked when you login a few times with a wrong password? > > I expect your log will say something like "auth failed, 22 attempts in > 30 secs", and fail2ban will see that as 1 authentications error, so will > not block you. I am blocked. The log says Jul 15 19:36:06 sbh16 dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 2 secs): user=, method=APOP, rip=98.248.186.228, lip=72.52.113.16, TLS, session= Jul 15 19:36:16 sbh16 dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 6 secs): user=, method=APOP, rip=98.248.186.228, lip=72.52.113.16, TLS, session= Jul 15 19:36:29 sbh16 dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 10 secs): user=, method=APOP, rip=98.248.186.228, lip=72.52.113.16, TLS, session= Jul 15 19:36:49 sbh16 dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 17 secs): user=, method=APOP, rip=98.248.186.228, lip=72.52.113.16, TLS, session= Jul 15 19:37:09 sbh16 dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 17 secs): user=, method=APOP, rip=98.248.186.228, lip=72.52.113.16, TLS, session= The difference may be that I am connecting to pop3s, port 995 with SSL, not port 110 with STARTTLS. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan
Re: [Dovecot] Fail2ban and logging
On 14-07-13 20:52, Mark Sapiro wrote:
> On 07/14/2013 03:26 AM, Paul van der Vlis wrote:
>> Hello,
>>
>> Dovecot is logging authentication failures this way:
>> --
>> Jul 12 18:07:19 vps0 dovecot: imap-login: Disconnected (auth failed, 22
>> attempts in 172 secs): user=, method=PLAIN, rip=82.95.148.152,
>> lip=1.2.3.4, TLS, session=
>> --
>
>
> Is there a reason why you are allowing PLAIN text login
> (disable_plaintext_auth = no)?
I use starttls, so it's no plaintext over the internet.
> I do not allow plaintext login and I get messages like:
>
> Jul 12 16:03:27 sbh16 dovecot: pop3-login: Disconnected (tried to use
> disallowed plaintext auth): user=<>, rip=219.84.103.232,
> lip=72.52.113.38, session=
>
> I also have
>
> service auth {
> unix_listener /var/spool/postfix/private/auth {
> mode = 0666
> }
> }
>
> and for secure login failures I get messages like:
>
> Jul 14 11:38:57 sbh16 dovecot: pop3-login: Aborted login (auth failed, 1
> attempts in 2 secs): user=, method=APOP, rip=68.183.193.239,
> lip=72.52.113.16, TLS, session=<8/ZeDn3hNwBEt8Hv>
>
> and in fail2ban I have
>
> failregex = Aborted login \(.*\): .*rip=,
> Disconnected \(tried to use disabled.*\): .*rip=,
> warning:.*\[\]: SASL [^ ]+ authentication failed:
>
> I'm running Dovecot 2.2.4, but the above hasn't changed for a long time.
Are you blocked when you login a few times with a wrong password?
I expect your log will say something like "auth failed, 22 attempts in
30 secs", and fail2ban will see that as 1 authentications error, so will
not block you.
With regards,
Paul van der Vlis.
--
Paul van der Vlis Linux systeembeheer, Groningen
http://www.vandervlis.nl/
Re: [Dovecot] Fail2ban and logging
On 07/14/2013 03:26 AM, Paul van der Vlis wrote:
> Hello,
>
> Dovecot is logging authentication failures this way:
> --
> Jul 12 18:07:19 vps0 dovecot: imap-login: Disconnected (auth failed, 22
> attempts in 172 secs): user=, method=PLAIN, rip=82.95.148.152,
> lip=1.2.3.4, TLS, session=
> --
Is there a reason why you are allowing PLAIN text login
(disable_plaintext_auth = no)?
I do not allow plaintext login and I get messages like:
Jul 12 16:03:27 sbh16 dovecot: pop3-login: Disconnected (tried to use
disallowed plaintext auth): user=<>, rip=219.84.103.232,
lip=72.52.113.38, session=
I also have
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0666
}
}
and for secure login failures I get messages like:
Jul 14 11:38:57 sbh16 dovecot: pop3-login: Aborted login (auth failed, 1
attempts in 2 secs): user=, method=APOP, rip=68.183.193.239,
lip=72.52.113.16, TLS, session=<8/ZeDn3hNwBEt8Hv>
and in fail2ban I have
failregex = Aborted login \(.*\): .*rip=,
Disconnected \(tried to use disabled.*\): .*rip=,
warning:.*\[\]: SASL [^ ]+ authentication failed:
I'm running Dovecot 2.2.4, but the above hasn't changed for a long time.
--
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
