Topic: Fail2Ban and Dovecot

[Peasant]

I'm getting a lot of attempts against Dovecot on my server, and I thought that fail2ban would stop them. On reading the wiki, it seems that Dovecot is not active out of the box on SME10 unless you use smeserver-dovecot. I followed this link, but it took me to a page in French. Am I missing something or is there a way to add dovecot to fail2ban? Thanks.

[ReetP]

I'm getting a lot of attempts against Dovecot on my server, and I thought that fail2ban would stop them. On reading the wiki, it seems that Dovecot is not active out of the box on SME10 unless you use smeserver-dovecot. I followed this link, but it took me to a page in French. Am I missing something or is there a way to add dovecot to fail2ban? Thanks.

Have you tried these?

Code: [Select]

rpm -qa |grep dovecot
systemctl status dovecot

Looking at this page:

https://wiki.koozali.org/Fail2ban#Services

It looks like it needs amending slightly for the Services/Dovecot piece (open a documentation bug please)

If you search about you will see posts here regarding dovecot and why you see an increase in attempts.

It is regarding replacement to cvm-unix in smeserver-qpsmtpd - see elsewhere for why we had to do this. We now use a qpsmtpd imap plugin for authentication instead. So the attacks are now against dovecot and not cvm-unix.

If you check fail2ban via the scripts on the fail2ban page you can see what is active. eg:

Code: [Select]

fail2ban-client status

Code: [Select]

Status
|- Number of jail: 14
`- Jail list: ftp, http-auth, http-badbots, http-fakegooglebot, http-noscript, http-overflows, http-scan, http-shellshock, imap, pam-generic, qpsmtpd, recidive, ssh, ssh-ddos
Note 'imap'

You can check:

Code: [Select]

cat /etc/fail2ban/jail.conf

Code: [Select]

[imap]
enabled  = true
filter   = dovecot
logpath  = /var/log/dovecot/dovecot.log
action   = smeserver-iptables[port="143,993",protocol=tcp,bantime=1800]
           smeserver-sendmail[name="Dovecot",dest=root]

Check the triggers here:

Code: [Select]

cat /etc/fail2ban/filter.d/dovecot.conf

Code: [Select]

failregex = ^authentication failure; logname=<F-ALT_USER1>\S*</F-ALT_USER1> uid=\S* euid=\S* tty=dovecot ruser=<F-USER>\S*</F-USER> rhost=<HOST>(?:\s+user=<F-ALT_USER>\S*</F-ALT_USER>)?\s*$
            ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\):(?: user=<<F-USER>[^>]*</F-USER>>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
            ^pam\(\S+,<HOST>(?:,\S*)?\): pam_authenticate\(\) failed: (?:User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\)|Permission denied)\s*$
            ^[a-z\-]{3,15}\(\S*,<HOST>(?:,\S*)?\): (?:unknown user|invalid credentials|Password mismatch)
            <mdre-<mode>>

mdre-aggressive = ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)(?::(?: [^ \(]+)+)? \((?:no auth attempts|disconnected before auth was ready,|client didn't finish \S+ auth,)(?: (?:in|waited) \d+ secs)?\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$


And look at your logs here

Code: [Select]

/var/log/dovecot/dovecot.log
Fail2ban probably does stop some attacks but remember it needs to meet a trigger threshold.

As we have mentioned elsewhere a very good way of cutting this down is to use the xt tables contrib.

That will dramatically reduce the number of attacks you receive.

[Peasant]

Thanks for the detailed reply, much appreciated.

I'll read and digest and have a look. I'll report back (hopefully) with how I get on.

Cheers,

[Jean-Philippe Pialasse]

considering the last update of smeserver-qpsmtpd now auth smtp against imap you might see an increase of auth in imap but with 127.0.0.1 ip.
Those should trigger fail2ban at qpsmtpd level, while adding noise in imap/dovecot log