Ok, está tudo funcionando, depois de alterar uma linha no arquivo: /etc/fail2ban/jail.conf na seção [dovecot]:
backend =% (dovecot_backend) s para backend = pooling
Software: Centos 7 (com firewallD) fail2ban 0.9.5 dovecot 2.2.10
Eu estou tentando configurar o fail2ban no meu servidor de email, para protegê-lo do login de força bruta através do imap (dovecot). Agora eu estou preso, e o fail2ban ainda não funciona, abaixo estão meus arquivos de configuração:
em /var/log/fail2ban.log
2016-12-09 21:29:29,110 fail2ban.server [3712]: INFO Exiting Fail2ban
2016-12-09 21:29:29,306 fail2ban.server [4080]: INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.5
2016-12-09 21:29:29,306 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dbfile', '/var/lib/fail2ban/fail2ban.sqlite3']
2016-12-09 21:29:29,307 fail2ban.database [4080]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2016-12-09 21:29:29,309 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dbpurgeage', '86400']
2016-12-09 21:29:29,310 fail2ban.transmitter [4080]: DEBUG Command: ['add', 'dovecot', 'systemd']
2016-12-09 21:29:29,310 fail2ban.jail [4080]: INFO Creating new jail 'dovecot'
2016-12-09 21:29:29,335 fail2ban.jail [4080]: INFO Jail 'dovecot' uses systemd
2016-12-09 21:29:29,335 fail2ban.filter [4080]: DEBUG Setting usedns = warn for FilterSystemd(Jail('dovecot'))
2016-12-09 21:29:29,361 fail2ban.filter [4080]: DEBUG Created FilterSystemd(Jail('dovecot'))
2016-12-09 21:29:29,362 fail2ban.filtersystemd [4080]: DEBUG Created FilterSystemd
2016-12-09 21:29:29,362 fail2ban.jail [4080]: INFO Initiated 'systemd' backend
2016-12-09 21:29:29,363 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'usedns', 'warn']
2016-12-09 21:29:29,363 fail2ban.filter [4080]: DEBUG Setting usedns = warn for FilterSystemd(Jail('dovecot'))
2016-12-09 21:29:29,364 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'maxretry', '1']
2016-12-09 21:29:29,364 fail2ban.filter [4080]: INFO Set maxRetry = 1
2016-12-09 21:29:29,364 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'addignoreip', '127.0.0.1/8']
2016-12-09 21:29:29,364 fail2ban.filter [4080]: DEBUG Add 127.0.0.1/8 to ignore list
2016-12-09 21:29:29,365 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'logencoding', 'auto']
2016-12-09 21:29:29,366 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'bantime', '60000']
2016-12-09 21:29:29,366 fail2ban.actions [4080]: INFO Set banTime = 60000
2016-12-09 21:29:29,366 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'ignorecommand', '']
2016-12-09 21:29:29,367 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'findtime', '60000']
2016-12-09 21:29:29,367 fail2ban.filter [4080]: INFO Set findtime = 60000
2016-12-09 21:29:29,368 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'addfailregex', 'auth-worker\(\S*\): Info: sql\(\S*,<HOST>\): Password mismatch\s*$']
2016-12-09 21:29:29,369 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'addfailregex', 'auth-worker\(\S*\): Info: sql\(\S*,<HOST>\): unknown user\s*$']
2016-12-09 21:29:29,371 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'addfailregex', '# ^(?:\[\])?\s*(?:<[^.]+ [^.]+>\s+)?(?:\S+\s+)?(?:kernel: \[ *\d+\.\d+\]\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?|[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID \d+ \S+\]\s+)?(pam_unix(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$']
2016-12-09 21:29:29,376 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'addfailregex', '# ^(?:\[\])?\s*(?:<[^.]+ [^.]+>\s+)?(?:\S+\s+)?(?:kernel: \[ *\d+\.\d+\]\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?|[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID \d+ \S+\]\s+)?(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>(, lip=(\d{1,3}\.){3}\d{1,3})?(, TLS( handshaking(: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$']
2016-12-09 21:29:29,384 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'addfailregex', '# ^(?:\[\])?\s*(?:<[^.]+ [^.]+>\s+)?(?:\S+\s+)?(?:kernel: \[ *\d+\.\d+\]\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?|[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID \d+ \S+\]\s+)?(Info|dovecot: auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$']
2016-12-09 21:29:29,391 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'addfailregex', '# ^(?:\[\])?\s*(?:<[^.]+ [^.]+>\s+)?(?:\S+\s+)?(?:kernel: \[ *\d+\.\d+\]\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?|[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID \d+ \S+\]\s+)?(auth|auth-worker\(\d+\)): (pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$']
2016-12-09 21:29:29,399 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'addfailregex', '# ^(?:\[\])?\s*(?:<[^.]+ [^.]+>\s+)?(?:\S+\s+)?(?:kernel: \[ *\d+\.\d+\]\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?|[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID \d+ \S+\]\s+)?(auth|auth-worker\(\d+\)): Info: ldap\(\S*,<HOST>,\S*\): invalid credentials\s*$']
2016-12-09 21:29:29,405 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'addfailregex', '# ^(?:\[\])?\s*(?:<[^.]+ [^.]+>\s+)?(?:\S+\s+)?(?:kernel: \[ *\d+\.\d+\]\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?|[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID \d+ \S+\]\s+)?(auth|auth-worker\(\d+\)): Info: sql\(\S*,<HOST>\): unknown user\s*$']
2016-12-09 21:29:29,412 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'addfailregex', '# ^(?:\[\])?\s*(?:<[^.]+ [^.]+>\s+)?(?:\S+\s+)?(?:kernel: \[ *\d+\.\d+\]\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?|[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID \d+ \S+\]\s+)?(auth|auth-worker\(\d+\)): Info: sql\(\S*,<HOST>\): Password mismatch\s*$']
2016-12-09 21:29:29,419 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'addjournalmatch', '_SYSTEMD_UNIT=dovecot.service']
2016-12-09 21:29:29,419 fail2ban.filtersystemd [4080]: INFO Added journal match for: '_SYSTEMD_UNIT=dovecot.service'
2016-12-09 21:29:29,420 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'addaction', 'firewallcmd-ipset']
2016-12-09 21:29:29,420 fail2ban.CommandAction [4080]: DEBUG Set action firewallcmd-ipset timeout = 60
2016-12-09 21:29:29,420 fail2ban.CommandAction [4080]: DEBUG Set actionstart =
2016-12-09 21:29:29,420 fail2ban.CommandAction [4080]: DEBUG Set actionban =
2016-12-09 21:29:29,420 fail2ban.CommandAction [4080]: DEBUG Set actionunban =
2016-12-09 21:29:29,420 fail2ban.CommandAction [4080]: DEBUG Set actioncheck =
2016-12-09 21:29:29,420 fail2ban.CommandAction [4080]: DEBUG Set actionstop =
2016-12-09 21:29:29,420 fail2ban.CommandAction [4080]: DEBUG Created <class 'fail2ban.server.action.CommandAction'>
2016-12-09 21:29:29,421 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'actionban', 'ipset add fail2ban-<name> <ip> timeout <bantime> -exist']
2016-12-09 21:29:29,421 fail2ban.CommandAction [4080]: DEBUG Set actionban = ipset add fail2ban-<name> <ip> timeout <bantime> -exist
2016-12-09 21:29:29,422 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'actionstop', 'firewall-cmd --direct --remove-rule ipv4 filter <chain> 0 -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype>\nipset flush fail2ban-<name>\nipset destroy fail2ban-<name>']
2016-12-09 21:29:29,422 fail2ban.CommandAction [4080]: DEBUG Set actionstop = firewall-cmd --direct --remove-rule ipv4 filter <chain> 0 -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype>
ipset flush fail2ban-<name>
ipset destroy fail2ban-<name>
2016-12-09 21:29:29,422 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'actionstart', 'ipset create fail2ban-<name> hash:ip timeout <bantime>\nfirewall-cmd --direct --add-rule ipv4 filter <chain> 0 -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype>']
2016-12-09 21:29:29,422 fail2ban.CommandAction [4080]: DEBUG Set actionstart = ipset create fail2ban-<name> hash:ip timeout <bantime>
firewall-cmd --direct --add-rule ipv4 filter <chain> 0 -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype>
2016-12-09 21:29:29,423 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'actionunban', 'ipset del fail2ban-<name> <ip> -exist']
2016-12-09 21:29:29,423 fail2ban.CommandAction [4080]: DEBUG Set actionunban = ipset del fail2ban-<name> <ip> -exist
2016-12-09 21:29:29,424 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'protocol', 'tcp']
2016-12-09 21:29:29,424 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'chain', 'INPUT']
2016-12-09 21:29:29,424 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'lockingopt', '-w']
2016-12-09 21:29:29,425 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/known/name', 'default']
2016-12-09 21:29:29,425 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'blocktype', 'REJECT --reject-with icmp-port-unreachable']
2016-12-09 21:29:29,426 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/lockingopt', '-w']
2016-12-09 21:29:29,427 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/known/port', 'ssh']
2016-12-09 21:29:29,427 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/protocol', 'tcp']
2016-12-09 21:29:29,428 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/known/lockingopt', '-w']
2016-12-09 21:29:29,428 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'port', 'pop3,pop3s,imap,imaps,submission,465,sieve']
2016-12-09 21:29:29,429 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/known/chain', 'INPUT']
2016-12-09 21:29:29,429 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/name', 'default']
2016-12-09 21:29:29,430 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/known/protocol', 'tcp']
2016-12-09 21:29:29,430 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/bantime', '600']
2016-12-09 21:29:29,431 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'bantime', '60000']
2016-12-09 21:29:29,431 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'iptables', 'iptables <lockingopt>']
2016-12-09 21:29:29,432 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/__name__', 'Init']
2016-12-09 21:29:29,432 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'returntype', 'RETURN']
2016-12-09 21:29:29,432 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/returntype', 'RETURN']
2016-12-09 21:29:29,433 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/known/__name__', 'Init']
2016-12-09 21:29:29,433 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/known/returntype', 'RETURN']
2016-12-09 21:29:29,434 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'name', 'dovecot']
2016-12-09 21:29:29,434 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/known/blocktype', 'REJECT --reject-with icmp-port-unreachable']
2016-12-09 21:29:29,435 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/port', 'ssh']
2016-12-09 21:29:29,435 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/iptables', 'iptables <lockingopt>']
2016-12-09 21:29:29,435 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/chain', 'INPUT_direct']
2016-12-09 21:29:29,436 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/blocktype', 'REJECT --reject-with icmp-port-unreachable']
2016-12-09 21:29:29,437 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/known/iptables', 'iptables <lockingopt>']
2016-12-09 21:29:29,437 fail2ban.transmitter [4080]: DEBUG Command: ['start', 'dovecot']
2016-12-09 21:29:29,439 fail2ban.filtersystemd [4080]: DEBUG Read systemd journal entry: u'2016-12-09T21:16:01.423994 xxx.xxx.com dovecot[1513]: doveconf: Warning: NOTE: You can get a new clean config file with: doveconf -n > dovecot-new.conf'
2016-12-09 21:29:29,441 fail2ban.filtersystemd [4080]: DEBUG Read systemd journal entry: u"2016-12-09T21:16:01.424219 xxx.xxx.com dovecot[1513]: doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:1: 'imaps' protocol is no longer necessary, remove it"
2016-12-09 21:29:29,442 fail2ban.jail [4080]: INFO Jail 'dovecot' started
2016-12-09 21:29:29,444 fail2ban.action [4080]: DEBUG ipset create fail2ban-dovecot hash:ip timeout 60000
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m multiport --dports pop3,pop3s,imap,imaps,submission,465,sieve -m set --match-set fail2ban-dovecot src -j REJECT --reject-with icmp-port-unreachable
2016-12-09 21:29:29,748 fail2ban.action [4080]: DEBUG ipset create fail2ban-dovecot hash:ip timeout 60000
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m multiport --dports pop3,pop3s,imap,imaps,submission,465,sieve -m set --match-set fail2ban-dovecot src -j REJECT --reject-with icmp-port-unreachable -- stdout: 'success\n'
2016-12-09 21:29:29,749 fail2ban.action [4080]: DEBUG ipset create fail2ban-dovecot hash:ip timeout 60000
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m multiport --dports pop3,pop3s,imap,imaps,submission,465,sieve -m set --match-set fail2ban-dovecot src -j REJECT --reject-with icmp-port-unreachable -- stderr: ''
2016-12-09 21:29:29,749 fail2ban.action [4080]: DEBUG ipset create fail2ban-dovecot hash:ip timeout 60000
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m multiport --dports pop3,pop3s,imap,imaps,submission,465,sieve -m set --match-set fail2ban-dovecot src -j REJECT --reject-with icmp-port-unreachable -- returned successfully
/etc/fail2ban/jail.conf
[INCLUDES]
before = paths-fedora.conf
[DEFAULT]
ignoreip = 127.0.0.1/8
ignorecommand =
bantime = 600
findtime = 600
maxretry = 5
backend = systemd
usedns = warn
logencoding = auto
enabled = false
filter = %(__name__)s
#
# ACTIONS
#
destemail = root@localhost
sender = root@localhost
mta = sendmail
protocol = tcp
chain = INPUT
port = 0:65535
fail2ban_agent = Fail2Ban/%(fail2ban_version)s
banaction = firewallcmd-ipset
banaction_allports = firewallcmd-allports
# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
#
# ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
# to the destemail.
action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]
# ban IP on CloudFlare & send an e-mail with whois report and relevant log lines
# to the destemail.
action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
%(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]
action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]
action = %(action_)s
# JAILS
[dovecot]
enabled = true
port = pop3,pop3s,imap,imaps,submission,465,sieve
filter = dovecot
logpath = /var/log/dovecot.log
maxretry = 1
findtime = 60000
bantime = 60000
datepattern = %b %d %H:%M:%S
backend = %(dovecot_backend)s
etc / fail2ban / filter.d / dovecot.conf
etc/fail2ban/filter.d/dovecot.conf
# Fail2Ban filter Dovecot authentication and pop3/imap server
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = (auth|dovecot(-auth)?|auth-worker)
failregex =auth-worker\(\S*\): Info: sql\(\S*,<HOST>\): Password mismatch\s*$
auth-worker\(\S*\): Info: sql\(\S*,<HOST>\): unknown user\s*$
ignoreregex =
[Init]
journalmatch = _SYSTEMD_UNIT=dovecot.service
/etc/fail2ban/jail.d/00-firewalld.conf
[DEFAULT]
banaction = firewallcmd-ipset
Teste: fail2ban-regex /var/log/dovecot.log /etc/fail2ban/filter.d/dovecot.conf --print-all-corresponded
Running tests
=============
Use failregex filter file : dovecot, basedir: /etc/fail2ban
Use log file : /var/log/dovecot.log
Use encoding : UTF-8
Results
=======
Failregex: 11 total
|- #) [# of hits] regular expression
| 1) [10] auth-worker\(\S*\): Info: sql\(\S*,<HOST>\): Password mismatch\s*$
| 2) [1] auth-worker\(\S*\): Info: sql\(\S*,<HOST>\): unknown user\s*$
'-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [24] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
'-
Lines: 24 lines, 0 ignored, 11 matched, 13 missed
[processed in 0.01 sec]
|- Matched line(s):
| Dec 09 13:21:24 auth-worker(30106): Info: sql([email protected],192.168.13.107): Password mismatch
| Dec 09 13:21:34 auth-worker(30106): Info: sql([email protected],192.168.13.107): Password mismatch
| Dec 09 14:16:13 auth-worker(31603): Info: sql([email protected],192.168.13.107): unknown user
| Dec 09 20:37:39 auth-worker(11941): Info: sql([email protected],172.16.2.10): Password mismatch
| Dec 09 20:37:47 auth-worker(11941): Info: sql([email protected],172.16.2.10): Password mismatch
| Dec 09 20:37:53 auth-worker(11941): Info: sql([email protected],172.16.2.10): Password mismatch
| Dec 09 20:37:56 auth-worker(11941): Info: sql([email protected],172.16.2.10): Password mismatch
| Dec 09 20:37:59 auth-worker(11941): Info: sql([email protected],172.16.2.10): Password mismatch
| Dec 09 21:29:57 auth-worker(4141): Info: sql([email protected],172.16.2.10): Password mismatch
| Dec 09 21:30:04 auth-worker(4141): Info: sql([email protected],172.16.2.10): Password mismatch
| Dec 09 21:30:11 auth-worker(4141): Info: sql([email protected],172.16.2.10): Password mismatch
'-
|- Missed line(s):
| Dec 09 14:16:19 auth-worker(31603): Info: sql([email protected],192.168.13.107): unknown userDec 09 20:37:06 config: Warning: NOTE: You can get a new clean config file with: doveconf -n > dovecot-new.conf
| Dec 09 20:37:06 config: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:1: 'imaps' protocol is no longer necessary, remove it
| Dec 09 20:37:09 imap-login: Info: Login: user=<[email protected]>, method=PLAIN, rip=172.16.2.10, lip=10.8.8.59, mpid=11944, TLS, session=<nQg+4T5DvQCsEAIK>
| Dec 09 20:37:09 imap([email protected]): Info: Disconnected: Disconnected in IDLE in=11 out=366
| Dec 09 20:38:41 imap-login: Info: Disconnected (auth failed, 5 attempts in 62 secs): user=<[email protected]>, method=PLAIN, rip=172.16.2.10, lip=10.8.8.59, TLS: Disconnected, session=<4akO4z5DxACsEAIK>
| Dec 09 21:15:26 anvil: Warning: Killed with signal 15 (by pid=1 uid=0 code=kill)
| Dec 09 21:15:26 log: Warning: Killed with signal 15 (by pid=1 uid=0 code=kill)
| Dec 09 21:15:26 master: Warning: Killed with signal 15 (by pid=1 uid=0 code=kill)
| Dec 09 21:16:01 master: Info: Dovecot v2.2.10 starting up for imap, lmtp (core dumps disabled)
| Dec 09 21:29:41 imap-login: Info: Login: user=<[email protected]>, method=PLAIN, rip=172.16.2.10, lip=10.8.8.59, mpid=4144, TLS, session=<ehkWnT9DVQCsEAIK>
| Dec 09 21:29:42 imap-login: Info: Login: user=<[email protected]>, method=PLAIN, rip=172.16.2.10, lip=10.8.8.59, mpid=4145, TLS, session=<59krnT9DVACsEAIK>
| Dec 09 21:30:21 imap([email protected]): Info: Disconnected: Logged out in=1716 out=12112
| Dec 09 21:32:48 imap-login: Info: Disconnected (auth failed, 3 attempts in 171 secs): user=<[email protected]>, method=PLAIN, rip=172.16.2.10, lip=10.8.8.59, TLS: Disconnected, session=<QIYQnj9DVwCsEAIK>
dovecot.log
Dec 09 13:21:24 auth-worker(30106): Info: sql([email protected],192.168.13.107): Password mismatch
Dec 09 13:21:34 auth-worker(30106): Info: sql([email protected],192.168.13.107): Password mismatch
Dec 09 14:16:13 auth-worker(31603): Info: sql([email protected],192.168.13.107): unknown user
Ok, está tudo funcionando, depois de alterar uma linha no arquivo: /etc/fail2ban/jail.conf na seção [dovecot]:
backend =% (dovecot_backend) s para backend = pooling