Fail2ban não está proibindo IP

1

Software: Centos 7 (com firewallD) fail2ban 0.9.5 dovecot 2.2.10

Eu estou tentando configurar o fail2ban no meu servidor de email, para protegê-lo do login de força bruta através do imap (dovecot). Agora eu estou preso, e o fail2ban ainda não funciona, abaixo estão meus arquivos de configuração:

em /var/log/fail2ban.log

    2016-12-09 21:29:29,110 fail2ban.server         [3712]: INFO    Exiting Fail2ban
    2016-12-09 21:29:29,306 fail2ban.server         [4080]: INFO    Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.5
    2016-12-09 21:29:29,306 fail2ban.transmitter    [4080]: DEBUG   Command: ['set', 'dbfile', '/var/lib/fail2ban/fail2ban.sqlite3']
    2016-12-09 21:29:29,307 fail2ban.database       [4080]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
    2016-12-09 21:29:29,309 fail2ban.transmitter    [4080]: DEBUG   Command: ['set', 'dbpurgeage', '86400']
    2016-12-09 21:29:29,310 fail2ban.transmitter    [4080]: DEBUG   Command: ['add', 'dovecot', 'systemd']
    2016-12-09 21:29:29,310 fail2ban.jail           [4080]: INFO    Creating new jail 'dovecot'
    2016-12-09 21:29:29,335 fail2ban.jail           [4080]: INFO    Jail 'dovecot' uses systemd
    2016-12-09 21:29:29,335 fail2ban.filter         [4080]: DEBUG   Setting usedns = warn for FilterSystemd(Jail('dovecot'))
    2016-12-09 21:29:29,361 fail2ban.filter         [4080]: DEBUG   Created FilterSystemd(Jail('dovecot'))
    2016-12-09 21:29:29,362 fail2ban.filtersystemd  [4080]: DEBUG   Created FilterSystemd
    2016-12-09 21:29:29,362 fail2ban.jail           [4080]: INFO    Initiated 'systemd' backend
    2016-12-09 21:29:29,363 fail2ban.transmitter    [4080]: DEBUG   Command: ['set', 'dovecot', 'usedns', 'warn']
    2016-12-09 21:29:29,363 fail2ban.filter         [4080]: DEBUG   Setting usedns = warn for FilterSystemd(Jail('dovecot'))
    2016-12-09 21:29:29,364 fail2ban.transmitter    [4080]: DEBUG   Command: ['set', 'dovecot', 'maxretry', '1']
    2016-12-09 21:29:29,364 fail2ban.filter         [4080]: INFO    Set maxRetry = 1
    2016-12-09 21:29:29,364 fail2ban.transmitter    [4080]: DEBUG   Command: ['set', 'dovecot', 'addignoreip', '127.0.0.1/8']
    2016-12-09 21:29:29,364 fail2ban.filter         [4080]: DEBUG   Add 127.0.0.1/8 to ignore list
    2016-12-09 21:29:29,365 fail2ban.transmitter    [4080]: DEBUG   Command: ['set', 'dovecot', 'logencoding', 'auto']
    2016-12-09 21:29:29,366 fail2ban.transmitter    [4080]: DEBUG   Command: ['set', 'dovecot', 'bantime', '60000']
    2016-12-09 21:29:29,366 fail2ban.actions        [4080]: INFO    Set banTime = 60000
    2016-12-09 21:29:29,366 fail2ban.transmitter    [4080]: DEBUG   Command: ['set', 'dovecot', 'ignorecommand', '']
    2016-12-09 21:29:29,367 fail2ban.transmitter    [4080]: DEBUG   Command: ['set', 'dovecot', 'findtime', '60000']
    2016-12-09 21:29:29,367 fail2ban.filter         [4080]: INFO    Set findtime = 60000
    2016-12-09 21:29:29,368 fail2ban.transmitter    [4080]: DEBUG   Command: ['set', 'dovecot', 'addfailregex', 'auth-worker\(\S*\): Info: sql\(\S*,<HOST>\): Password mismatch\s*$']
    2016-12-09 21:29:29,369 fail2ban.transmitter    [4080]: DEBUG   Command: ['set', 'dovecot', 'addfailregex', 'auth-worker\(\S*\): Info: sql\(\S*,<HOST>\): unknown user\s*$']
    2016-12-09 21:29:29,371 fail2ban.transmitter    [4080]: DEBUG   Command: ['set', 'dovecot', 'addfailregex', '# ^(?:\[\])?\s*(?:<[^.]+ [^.]+>\s+)?(?:\S+\s+)?(?:kernel: \[ *\d+\.\d+\]\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?|[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID \d+ \S+\]\s+)?(pam_unix(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$']
    2016-12-09 21:29:29,376 fail2ban.transmitter    [4080]: DEBUG   Command: ['set', 'dovecot', 'addfailregex', '# ^(?:\[\])?\s*(?:<[^.]+ [^.]+>\s+)?(?:\S+\s+)?(?:kernel: \[ *\d+\.\d+\]\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?|[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID \d+ \S+\]\s+)?(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>(, lip=(\d{1,3}\.){3}\d{1,3})?(, TLS( handshaking(: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$']
    2016-12-09 21:29:29,384 fail2ban.transmitter    [4080]: DEBUG   Command: ['set', 'dovecot', 'addfailregex', '# ^(?:\[\])?\s*(?:<[^.]+ [^.]+>\s+)?(?:\S+\s+)?(?:kernel: \[ *\d+\.\d+\]\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?|[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID \d+ \S+\]\s+)?(Info|dovecot: auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$']
    2016-12-09 21:29:29,391 fail2ban.transmitter    [4080]: DEBUG   Command: ['set', 'dovecot', 'addfailregex', '# ^(?:\[\])?\s*(?:<[^.]+ [^.]+>\s+)?(?:\S+\s+)?(?:kernel: \[ *\d+\.\d+\]\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?|[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID \d+ \S+\]\s+)?(auth|auth-worker\(\d+\)): (pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$']
    2016-12-09 21:29:29,399 fail2ban.transmitter    [4080]: DEBUG   Command: ['set', 'dovecot', 'addfailregex', '# ^(?:\[\])?\s*(?:<[^.]+ [^.]+>\s+)?(?:\S+\s+)?(?:kernel: \[ *\d+\.\d+\]\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?|[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID \d+ \S+\]\s+)?(auth|auth-worker\(\d+\)): Info: ldap\(\S*,<HOST>,\S*\): invalid credentials\s*$']
    2016-12-09 21:29:29,405 fail2ban.transmitter    [4080]: DEBUG   Command: ['set', 'dovecot', 'addfailregex', '# ^(?:\[\])?\s*(?:<[^.]+ [^.]+>\s+)?(?:\S+\s+)?(?:kernel: \[ *\d+\.\d+\]\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?|[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID \d+ \S+\]\s+)?(auth|auth-worker\(\d+\)): Info: sql\(\S*,<HOST>\): unknown user\s*$']
    2016-12-09 21:29:29,412 fail2ban.transmitter    [4080]: DEBUG   Command: ['set', 'dovecot', 'addfailregex', '# ^(?:\[\])?\s*(?:<[^.]+ [^.]+>\s+)?(?:\S+\s+)?(?:kernel: \[ *\d+\.\d+\]\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?|[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID \d+ \S+\]\s+)?(auth|auth-worker\(\d+\)): Info: sql\(\S*,<HOST>\): Password mismatch\s*$']
    2016-12-09 21:29:29,419 fail2ban.transmitter    [4080]: DEBUG   Command: ['set', 'dovecot', 'addjournalmatch', '_SYSTEMD_UNIT=dovecot.service']
    2016-12-09 21:29:29,419 fail2ban.filtersystemd  [4080]: INFO    Added journal match for: '_SYSTEMD_UNIT=dovecot.service'
    2016-12-09 21:29:29,420 fail2ban.transmitter    [4080]: DEBUG   Command: ['set', 'dovecot', 'addaction', 'firewallcmd-ipset']
    2016-12-09 21:29:29,420 fail2ban.CommandAction  [4080]: DEBUG   Set action firewallcmd-ipset timeout = 60
    2016-12-09 21:29:29,420 fail2ban.CommandAction  [4080]: DEBUG   Set actionstart = 
    2016-12-09 21:29:29,420 fail2ban.CommandAction  [4080]: DEBUG   Set actionban = 
    2016-12-09 21:29:29,420 fail2ban.CommandAction  [4080]: DEBUG   Set actionunban = 
    2016-12-09 21:29:29,420 fail2ban.CommandAction  [4080]: DEBUG   Set actioncheck = 
    2016-12-09 21:29:29,420 fail2ban.CommandAction  [4080]: DEBUG   Set actionstop = 
    2016-12-09 21:29:29,420 fail2ban.CommandAction  [4080]: DEBUG   Created <class 'fail2ban.server.action.CommandAction'>
    2016-12-09 21:29:29,421 fail2ban.transmitter    [4080]: DEBUG   Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'actionban', 'ipset add fail2ban-<name> <ip> timeout <bantime> -exist']
    2016-12-09 21:29:29,421 fail2ban.CommandAction  [4080]: DEBUG   Set actionban = ipset add fail2ban-<name> <ip> timeout <bantime> -exist
    2016-12-09 21:29:29,422 fail2ban.transmitter    [4080]: DEBUG   Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'actionstop', 'firewall-cmd --direct --remove-rule ipv4 filter <chain> 0 -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype>\nipset flush fail2ban-<name>\nipset destroy fail2ban-<name>']
    2016-12-09 21:29:29,422 fail2ban.CommandAction  [4080]: DEBUG   Set actionstop = firewall-cmd --direct --remove-rule ipv4 filter <chain> 0 -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype>
    ipset flush fail2ban-<name>
    ipset destroy fail2ban-<name>
    2016-12-09 21:29:29,422 fail2ban.transmitter    [4080]: DEBUG   Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'actionstart', 'ipset create fail2ban-<name> hash:ip timeout <bantime>\nfirewall-cmd --direct --add-rule ipv4 filter <chain> 0 -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype>']
    2016-12-09 21:29:29,422 fail2ban.CommandAction  [4080]: DEBUG   Set actionstart = ipset create fail2ban-<name> hash:ip timeout <bantime>
    firewall-cmd --direct --add-rule ipv4 filter <chain> 0 -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype>
    2016-12-09 21:29:29,423 fail2ban.transmitter    [4080]: DEBUG   Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'actionunban', 'ipset del fail2ban-<name> <ip> -exist']
    2016-12-09 21:29:29,423 fail2ban.CommandAction  [4080]: DEBUG   Set actionunban = ipset del fail2ban-<name> <ip> -exist
    2016-12-09 21:29:29,424 fail2ban.transmitter    [4080]: DEBUG   Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'protocol', 'tcp']
    2016-12-09 21:29:29,424 fail2ban.transmitter    [4080]: DEBUG   Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'chain', 'INPUT']
    2016-12-09 21:29:29,424 fail2ban.transmitter    [4080]: DEBUG   Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'lockingopt', '-w']
    2016-12-09 21:29:29,425 fail2ban.transmitter    [4080]: DEBUG   Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/known/name', 'default']
    2016-12-09 21:29:29,425 fail2ban.transmitter    [4080]: DEBUG   Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'blocktype', 'REJECT --reject-with icmp-port-unreachable']
    2016-12-09 21:29:29,426 fail2ban.transmitter    [4080]: DEBUG   Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/lockingopt', '-w']
    2016-12-09 21:29:29,427 fail2ban.transmitter    [4080]: DEBUG   Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/known/port', 'ssh']
    2016-12-09 21:29:29,427 fail2ban.transmitter    [4080]: DEBUG   Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/protocol', 'tcp']
    2016-12-09 21:29:29,428 fail2ban.transmitter    [4080]: DEBUG   Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/known/lockingopt', '-w']
    2016-12-09 21:29:29,428 fail2ban.transmitter    [4080]: DEBUG   Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'port', 'pop3,pop3s,imap,imaps,submission,465,sieve']
    2016-12-09 21:29:29,429 fail2ban.transmitter    [4080]: DEBUG   Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/known/chain', 'INPUT']
    2016-12-09 21:29:29,429 fail2ban.transmitter    [4080]: DEBUG   Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/name', 'default']
    2016-12-09 21:29:29,430 fail2ban.transmitter    [4080]: DEBUG   Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/known/protocol', 'tcp']
    2016-12-09 21:29:29,430 fail2ban.transmitter    [4080]: DEBUG   Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/bantime', '600']
    2016-12-09 21:29:29,431 fail2ban.transmitter    [4080]: DEBUG   Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'bantime', '60000']
    2016-12-09 21:29:29,431 fail2ban.transmitter    [4080]: DEBUG   Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'iptables', 'iptables <lockingopt>']
    2016-12-09 21:29:29,432 fail2ban.transmitter    [4080]: DEBUG   Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/__name__', 'Init']
    2016-12-09 21:29:29,432 fail2ban.transmitter    [4080]: DEBUG   Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'returntype', 'RETURN']
    2016-12-09 21:29:29,432 fail2ban.transmitter    [4080]: DEBUG   Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/returntype', 'RETURN']
    2016-12-09 21:29:29,433 fail2ban.transmitter    [4080]: DEBUG   Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/known/__name__', 'Init']
    2016-12-09 21:29:29,433 fail2ban.transmitter    [4080]: DEBUG   Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/known/returntype', 'RETURN']
    2016-12-09 21:29:29,434 fail2ban.transmitter    [4080]: DEBUG   Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'name', 'dovecot']
    2016-12-09 21:29:29,434 fail2ban.transmitter    [4080]: DEBUG   Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/known/blocktype', 'REJECT --reject-with icmp-port-unreachable']
    2016-12-09 21:29:29,435 fail2ban.transmitter    [4080]: DEBUG   Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/port', 'ssh']
    2016-12-09 21:29:29,435 fail2ban.transmitter    [4080]: DEBUG   Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/iptables', 'iptables <lockingopt>']
    2016-12-09 21:29:29,435 fail2ban.transmitter    [4080]: DEBUG   Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/chain', 'INPUT_direct']
    2016-12-09 21:29:29,436 fail2ban.transmitter    [4080]: DEBUG   Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/blocktype', 'REJECT --reject-with icmp-port-unreachable']
    2016-12-09 21:29:29,437 fail2ban.transmitter    [4080]: DEBUG   Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/known/iptables', 'iptables <lockingopt>']
    2016-12-09 21:29:29,437 fail2ban.transmitter    [4080]: DEBUG   Command: ['start', 'dovecot']
    2016-12-09 21:29:29,439 fail2ban.filtersystemd  [4080]: DEBUG   Read systemd journal entry: u'2016-12-09T21:16:01.423994 xxx.xxx.com dovecot[1513]: doveconf: Warning: NOTE: You can get a new clean config file with: doveconf -n > dovecot-new.conf'
    2016-12-09 21:29:29,441 fail2ban.filtersystemd  [4080]: DEBUG   Read systemd journal entry: u"2016-12-09T21:16:01.424219 xxx.xxx.com dovecot[1513]: doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:1: 'imaps' protocol is no longer necessary, remove it"
    2016-12-09 21:29:29,442 fail2ban.jail           [4080]: INFO    Jail 'dovecot' started
    2016-12-09 21:29:29,444 fail2ban.action         [4080]: DEBUG   ipset create fail2ban-dovecot hash:ip timeout 60000
    firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m multiport --dports pop3,pop3s,imap,imaps,submission,465,sieve -m set --match-set fail2ban-dovecot src -j REJECT --reject-with icmp-port-unreachable
    2016-12-09 21:29:29,748 fail2ban.action         [4080]: DEBUG   ipset create fail2ban-dovecot hash:ip timeout 60000
    firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m multiport --dports pop3,pop3s,imap,imaps,submission,465,sieve -m set --match-set fail2ban-dovecot src -j REJECT --reject-with icmp-port-unreachable -- stdout: 'success\n'
    2016-12-09 21:29:29,749 fail2ban.action         [4080]: DEBUG   ipset create fail2ban-dovecot hash:ip timeout 60000
    firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m multiport --dports pop3,pop3s,imap,imaps,submission,465,sieve -m set --match-set fail2ban-dovecot src -j REJECT --reject-with icmp-port-unreachable -- stderr: ''
    2016-12-09 21:29:29,749 fail2ban.action         [4080]: DEBUG   ipset create fail2ban-dovecot hash:ip timeout 60000
    firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m multiport --dports pop3,pop3s,imap,imaps,submission,465,sieve -m set --match-set fail2ban-dovecot src -j REJECT --reject-with icmp-port-unreachable -- returned successfully

/etc/fail2ban/jail.conf

    [INCLUDES]
    before = paths-fedora.conf

    [DEFAULT]
    ignoreip = 127.0.0.1/8
    ignorecommand =
    bantime  = 600
    findtime  = 600
    maxretry = 5
    backend = systemd
    usedns = warn
    logencoding = auto
    enabled = false
    filter = %(__name__)s

    #
    # ACTIONS
    #
    destemail = root@localhost
    sender = root@localhost
    mta = sendmail
    protocol = tcp
    chain = INPUT
    port = 0:65535
    fail2ban_agent = Fail2Ban/%(fail2ban_version)s

    banaction = firewallcmd-ipset
    banaction_allports = firewallcmd-allports


    # The simplest action to take: ban only
    action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

    # ban & send an e-mail with whois report to the destemail.
    action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
                %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]

    # ban & send an e-mail with whois report and relevant log lines
    # to the destemail.
    action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
                 %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]

    # See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
    #
    # ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
    # to the destemail.
    action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
                 xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]

    # ban IP on CloudFlare & send an e-mail with whois report and relevant log lines
    # to the destemail.
    action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
                    %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]


    action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]
    action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]
    action = %(action_)s

    # JAILS

    [dovecot]
    enabled = true
    port    = pop3,pop3s,imap,imaps,submission,465,sieve
    filter = dovecot
    logpath = /var/log/dovecot.log
    maxretry = 1
    findtime = 60000
    bantime = 60000
    datepattern = %b %d %H:%M:%S
    backend = %(dovecot_backend)s

etc / fail2ban / filter.d / dovecot.conf

    etc/fail2ban/filter.d/dovecot.conf

    # Fail2Ban filter Dovecot authentication and pop3/imap server
    #

    [INCLUDES]

    before = common.conf

    [Definition]

    _daemon = (auth|dovecot(-auth)?|auth-worker)

    failregex =auth-worker\(\S*\): Info: sql\(\S*,<HOST>\): Password mismatch\s*$
               auth-worker\(\S*\): Info: sql\(\S*,<HOST>\): unknown user\s*$           


    ignoreregex = 

    [Init]

    journalmatch = _SYSTEMD_UNIT=dovecot.service

/etc/fail2ban/jail.d/00-firewalld.conf

[DEFAULT]
banaction = firewallcmd-ipset

Teste: fail2ban-regex /var/log/dovecot.log /etc/fail2ban/filter.d/dovecot.conf --print-all-corresponded

    Running tests
    =============

    Use   failregex filter file : dovecot, basedir: /etc/fail2ban
    Use         log file : /var/log/dovecot.log
    Use         encoding : UTF-8


    Results
    =======
    Failregex: 11 total
    |-  #) [# of hits] regular expression
    |   1) [10] auth-worker\(\S*\): Info: sql\(\S*,<HOST>\): Password mismatch\s*$
    |   2) [1] auth-worker\(\S*\): Info: sql\(\S*,<HOST>\): unknown user\s*$
    '-

    Ignoreregex: 0 total

    Date template hits:
    |- [# of hits] date format
    |  [24] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
    '-

    Lines: 24 lines, 0 ignored, 11 matched, 13 missed
    [processed in 0.01 sec]

    |- Matched line(s):
    |  Dec 09 13:21:24 auth-worker(30106): Info: sql([email protected],192.168.13.107): Password mismatch
    |  Dec 09 13:21:34 auth-worker(30106): Info: sql([email protected],192.168.13.107): Password mismatch
    |  Dec 09 14:16:13 auth-worker(31603): Info: sql([email protected],192.168.13.107): unknown user
    |  Dec 09 20:37:39 auth-worker(11941): Info: sql([email protected],172.16.2.10): Password mismatch
    |  Dec 09 20:37:47 auth-worker(11941): Info: sql([email protected],172.16.2.10): Password mismatch
    |  Dec 09 20:37:53 auth-worker(11941): Info: sql([email protected],172.16.2.10): Password mismatch
    |  Dec 09 20:37:56 auth-worker(11941): Info: sql([email protected],172.16.2.10): Password mismatch
    |  Dec 09 20:37:59 auth-worker(11941): Info: sql([email protected],172.16.2.10): Password mismatch
    |  Dec 09 21:29:57 auth-worker(4141): Info: sql([email protected],172.16.2.10): Password mismatch
    |  Dec 09 21:30:04 auth-worker(4141): Info: sql([email protected],172.16.2.10): Password mismatch
    |  Dec 09 21:30:11 auth-worker(4141): Info: sql([email protected],172.16.2.10): Password mismatch
    '-
    |- Missed line(s):
    |  Dec 09 14:16:19 auth-worker(31603): Info: sql([email protected],192.168.13.107): unknown userDec 09 20:37:06 config: Warning: NOTE: You can get a new clean config file with: doveconf -n > dovecot-new.conf
    |  Dec 09 20:37:06 config: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:1: 'imaps' protocol is no longer necessary, remove it
    |  Dec 09 20:37:09 imap-login: Info: Login: user=<[email protected]>, method=PLAIN, rip=172.16.2.10, lip=10.8.8.59, mpid=11944, TLS, session=<nQg+4T5DvQCsEAIK>
    |  Dec 09 20:37:09 imap([email protected]): Info: Disconnected: Disconnected in IDLE in=11 out=366
    |  Dec 09 20:38:41 imap-login: Info: Disconnected (auth failed, 5 attempts in 62 secs): user=<[email protected]>, method=PLAIN, rip=172.16.2.10, lip=10.8.8.59, TLS: Disconnected, session=<4akO4z5DxACsEAIK>
    |  Dec 09 21:15:26 anvil: Warning: Killed with signal 15 (by pid=1 uid=0 code=kill)
    |  Dec 09 21:15:26 log: Warning: Killed with signal 15 (by pid=1 uid=0 code=kill)
    |  Dec 09 21:15:26 master: Warning: Killed with signal 15 (by pid=1 uid=0 code=kill)
    |  Dec 09 21:16:01 master: Info: Dovecot v2.2.10 starting up for imap, lmtp (core dumps disabled)
    |  Dec 09 21:29:41 imap-login: Info: Login: user=<[email protected]>, method=PLAIN, rip=172.16.2.10, lip=10.8.8.59, mpid=4144, TLS, session=<ehkWnT9DVQCsEAIK>
    |  Dec 09 21:29:42 imap-login: Info: Login: user=<[email protected]>, method=PLAIN, rip=172.16.2.10, lip=10.8.8.59, mpid=4145, TLS, session=<59krnT9DVACsEAIK>
    |  Dec 09 21:30:21 imap([email protected]): Info: Disconnected: Logged out in=1716 out=12112
    |  Dec 09 21:32:48 imap-login: Info: Disconnected (auth failed, 3 attempts in 171 secs): user=<[email protected]>, method=PLAIN, rip=172.16.2.10, lip=10.8.8.59, TLS: Disconnected, session=<QIYQnj9DVwCsEAIK>

dovecot.log

Dec 09 13:21:24 auth-worker(30106): Info: sql([email protected],192.168.13.107): Password mismatch
Dec 09 13:21:34 auth-worker(30106): Info: sql([email protected],192.168.13.107): Password mismatch
Dec 09 14:16:13 auth-worker(31603): Info: sql([email protected],192.168.13.107): unknown user
    
por Paul D 09.12.2016 / 22:09

1 resposta

1

Ok, está tudo funcionando, depois de alterar uma linha no arquivo: /etc/fail2ban/jail.conf na seção [dovecot]:

backend =% (dovecot_backend) s para backend = pooling

    
por 09.12.2016 / 23:24