I'm getting a lot of attempts against Dovecot on my server, and I thought that fail2ban would stop them. On reading the wiki, it seems that Dovecot is not active out of the box on SME10 unless you use smeserver-dovecot. I followed this link, but it took me to a page in French. Am I missing something or is there a way to add dovecot to fail2ban? Thanks.
Have you tried these?
rpm -qa |grep dovecot
systemctl status dovecot
Looking at this page:
https://wiki.koozali.org/Fail2ban#ServicesIt looks like it needs amending slightly for the Services/Dovecot piece (open a documentation bug please)
If you search about you will see posts here regarding dovecot and why you see an increase in attempts.
It is regarding replacement to cvm-unix in smeserver-qpsmtpd - see elsewhere for why we had to do this. We now use a qpsmtpd imap plugin for authentication instead. So the attacks are now against dovecot and not cvm-unix.
If you check fail2ban via the scripts on the fail2ban page you can see what is active. eg:
fail2ban-client status
Status
|- Number of jail: 14
`- Jail list: ftp, http-auth, http-badbots, http-fakegooglebot, http-noscript, http-overflows, http-scan, http-shellshock, imap, pam-generic, qpsmtpd, recidive, ssh, ssh-ddos
Note 'imap'
You can check:
cat /etc/fail2ban/jail.conf
[imap]
enabled = true
filter = dovecot
logpath = /var/log/dovecot/dovecot.log
action = smeserver-iptables[port="143,993",protocol=tcp,bantime=1800]
smeserver-sendmail[name="Dovecot",dest=root]
Check the triggers here:
cat /etc/fail2ban/filter.d/dovecot.conf
failregex = ^authentication failure; logname=<F-ALT_USER1>\S*</F-ALT_USER1> uid=\S* euid=\S* tty=dovecot ruser=<F-USER>\S*</F-USER> rhost=<HOST>(?:\s+user=<F-ALT_USER>\S*</F-ALT_USER>)?\s*$
^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\):(?: user=<<F-USER>[^>]*</F-USER>>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
^pam\(\S+,<HOST>(?:,\S*)?\): pam_authenticate\(\) failed: (?:User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\)|Permission denied)\s*$
^[a-z\-]{3,15}\(\S*,<HOST>(?:,\S*)?\): (?:unknown user|invalid credentials|Password mismatch)
<mdre-<mode>>
mdre-aggressive = ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)(?::(?: [^ \(]+)+)? \((?:no auth attempts|disconnected before auth was ready,|client didn't finish \S+ auth,)(?: (?:in|waited) \d+ secs)?\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
And look at your logs here
/var/log/dovecot/dovecot.log
Fail2ban probably does stop some attacks but remember it needs to meet a trigger threshold.
As we have mentioned elsewhere a very good way of cutting this down is to use the xt tables contrib.
That will dramatically reduce the number of attacks you receive.