Quantcast
Channel: iRedMail
Viewing all articles
Browse latest Browse all 14136

Fail2ban and iredmail

$
0
0

======== Required information ====
- iRedMail version: 0.8.3
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Linux/BSD distribution name and version: Debian 6
- Related log if you're reporting an issue:
====

Hello,
I've started to have problem (when I restarted fail2ban) with fail2ban logs but it looks like fail2ban is working.


For exmaple the:

devcot.iredmail.conf

[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tr$
ignoreregex =

dovecot.log

Jun 03 10:13:57 pop3-login: Info: Disconnected (auth failed, 1 attempts): user=<mail@domain.com>, method=PLAIN, rip=USER_IP_ADDRESS, lip=SERVER_IP_ADDRESS, TLS: Disconnected

jail.local

[dovecot-iredmail]
enabled     = true
filter      = dovecot.iredmail
action      = iptables-multiport[name=dovecot, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", prot$
logpath     = /var/log/dovecot.log
maxretry    = 3
findtime    = 300
bantime     = 3600
ignoreip    = 127.0.0.1 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16

but when i do this:

fail2ban-regex /var/log/dovecot.log etc/fail2ban/filter.d/dovecot.iredmail.conf

i get:

Results
=======

Failregex
|- Regular expressions:
|  [1] etc/fail2ban/filter.d/dovecot.iredmail.conf
|
`- Number of matches:
   [1] 0 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

and in fail2ban.log i get

2013-06-03 10:01:21,869 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2013-06-03 10:01:21,870 fail2ban.filter : DEBUG  /var/log/mail.log has been modified
2013-06-03 10:01:21,870 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2013-06-03 10:01:24,183 fail2ban.filter : DEBUG  /var/log/dovecot.log has been modified
2013-06-03 10:01:24,183 fail2ban.filter : DEBUG  Found USER_IP_ADDRESS
2013-06-03 10:01:24,183 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2013-06-03 10:01:24,637 fail2ban.actions: WARNING [dovecot-iredmail] Ban USER_IP_ADDRESS
2013-06-03 10:01:24,637 fail2ban.actions.action: DEBUG  iptables -n -L INPUT | grep -q fail2ban-dovecot
2013-06-03 10:01:24,640 fail2ban.actions.action: DEBUG  iptables -n -L INPUT | grep -q fail2ban-dovecot returned successfully
2013-06-03 10:01:24,640 fail2ban.actions.action: DEBUG  iptables -I fail2ban-dovecot 1 -s USER_IP_ADDRESS -j DROP
2013-06-03 10:01:24,642 fail2ban.actions.action: DEBUG  iptables -I fail2ban-dovecot 1 -s USER_IP_ADDRESS -j DROP returned successfully

And when i check USER_IP_ADDRESS is banned but in log files I have mess and I need to straight things out.

In fail2ban.log in loop i have:

2013-06-03 10:01:49,211 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2013-06-03 10:02:21,245 fail2ban.filter : DEBUG  /var/log/dovecot.log has been modified

and

2013-06-03 10:01:20,868 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2013-06-03 10:01:21,868 fail2ban.filter : DEBUG  /var/log/mail.log has been modified

If you could help me straight things out with dovecot I think I can handle by myself proftpd, ssh, etc.

Best regards,
ag


Viewing all articles
Browse latest Browse all 14136

Trending Articles