Fail2Ban não bloqueando ataque de força bruta no pombal

Eu rodei um servidor do CentOS 5 com o fail2ban e atualmente estou sendo atingido por um ataque de bruteforce no meu serviço dovecot.

Eu sei que o fail2ban está funcionando, porque está bloqueando ataques no meu servidor FTP e no Postfix. Por alguma razão, estou perdendo algo com o dovecot, pois o log do fail2ban não tem nada e o ataque continua sem parar.

Meus logs são os seguintes. Dovecot registra tudo para - /var/log/dovecot-info.log

Eu vejo dois tipos de registros. O primeiro se parece com isso (Nota: Meu servidor Ip está OK - eu bloqueei os detalhes com xxx.xxx.xxx):

Feb 22 21:48:21 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<felix>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 21:48:23 auth: Info: passwd-file(felipe,177.19.151.139): unknown user
Feb 22 21:48:25 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<felipe>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 21:48:29 auth: Info: passwd-file(felix,177.19.151.139): unknown user
Feb 22 21:48:31 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<felix>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 21:48:40 auth: Info: passwd-file(felix,177.19.151.139): unknown user
Feb 22 21:48:42 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<felix>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 21:48:50 auth: Info: passwd-file(felix,177.19.151.139): unknown user
Feb 22 21:48:52 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<felix>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 21:49:00 auth: Info: passwd-file(felix,177.19.151.139): unknown user
Feb 22 21:49:02 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<felix>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 21:49:11 auth: Info: passwd-file(felix,177.19.151.139): unknown user
Feb 22 21:49:13 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<felix>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 21:49:21 auth: Info: passwd-file(felix,177.19.151.139): unknown user
Feb 22 21:49:23 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<felix>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 21:49:32 auth: Info: passwd-file(felix,177.19.151.139): unknown user
Feb 22 21:49:34 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<felix>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 21:49:42 auth: Info: passwd-file(felix,177.19.151.139): unknown user
Feb 22 21:49:44 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<felix>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 21:49:52 auth: Info: passwd-file(felix,177.19.151.139): unknown user
Feb 22 21:49:54 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<felix>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 21:50:03 auth: Info: passwd-file(felix,177.19.151.139): unknown user
Feb 22 21:50:05 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<felix>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 21:50:13 auth: Info: passwd-file(felix,177.19.151.139): unknown user

O segundo parece assim:

Feb 22 22:10:37 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<frankie>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 22:10:38 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<fox>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 22:10:51 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<frances>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 22:10:51 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<francis>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 22:10:51 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<forest>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 22:10:51 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<frank>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 22:10:51 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<forrest>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 22:10:51 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<frankie>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 22:10:51 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<fox>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 22:10:51 auth: Info: passwd-file(francis,177.19.151.139): unknown user
Feb 22 22:10:51 auth: Info: passwd-file(frances,177.19.151.139): unknown user
Feb 22 22:10:51 auth: Info: passwd-file(forest,177.19.151.139): unknown user
Feb 22 22:10:51 auth: Info: passwd-file(frank,177.19.151.139): unknown user
Feb 22 22:10:51 auth: Info: passwd-file(forrest,177.19.151.139): unknown user
Feb 22 22:10:51 auth: Info: passwd-file(frankie,177.19.151.139): unknown user
Feb 22 22:10:51 auth: Info: passwd-file(fox,177.19.151.139): unknown user
Feb 22 22:10:51 auth: Info: passwd-file(francis,177.19.151.139): unknown user
Feb 22 22:10:51 auth: Info: passwd-file(frances,177.19.151.139): unknown user
Feb 22 22:10:51 auth: Info: passwd-file(forest,177.19.151.139): unknown user

jail.conf tem esta aparência:

[dovecot-pop3imap]
enabled  = true
filter   = dovecot-pop3imap
action   = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
           sendmail-whois[name=dovecot-pop3imap, [email protected], [email protected]]
logpath  = /var/log/dovecot-info.log
maxretry = 5
findtime = 1200
bantime  = 1200

filter.d / dovecot.conf tem esta aparência:

failregex = ^%(__prefix_line)s(pam_unix(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$
            ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to $
            ^%(__prefix_line)s(Info|dovecot: auth\(default\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Ti$

ignoreregex =

fail2ban.conf tem esta aparência:

# Option:  loglevel
# Notes.:  Set the log level output.
#          1 = ERROR
#          2 = WARN
#          3 = INFO
#          4 = DEBUG
# Values:  NUM  Default:  3
#
loglevel = 3

# Option:  logtarget
# Notes.:  Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
#          Only one log target can be specified.
# Values:  STDOUT STDERR SYSLOG file  Default:  /var/log/fail2ban.log
#
#logtarget = SYSLOG
logtarget = /var/log/fail2ban.log

# Option: socket
# Notes.: Set the socket file. This is used to communicate with the daemon. Do
#         not remove this file when Fail2ban runs. It will not be possible to
#         communicate with the server afterwards.
# Values: FILE  Default:  /var/run/fail2ban/fail2ban.sock
#
socket = /var/run/fail2ban/fail2ban.sock

Estou quase certo de que meu regex está errado de alguma forma, mas estou perdido. Qualquer ajuda que alguém possa fornecer é bem-vinda neste momento.

Mais informações - Eu reiniciei o serviço após as alterações e não faz diferença e a data / hora é precisa.