On Friday 26 April 2019 14:54:43 Pete Biggs wrote:
I did wonder that myself. I have now amended to Dovecot definition in jail.conf to:
[dovecot]
port = pop3,pop3s,imap,imaps,submission,sieve,25,1025,465,587 logpath = %(dovecot_log)s backend = %(dovecot_backend)s
I then unbanned and banned each IP address manually with
Did you reload the configuration? ("fail2ban-client reload")
What action are you using - you mention ipset, are you using iptables- ipset-proto4? I don't know anything about ipset, but can you see what ports are being blocked in the fail2ban-dovecot set (just to make sure it is doing the correct thing).
If you manually add an IP address to the *exim* jail, does it get blocked?
I saved all config files and restarted the fail2ban service. I even rebooted the box. My jail.conf definition for exim is now:
[exim]
port = pop3,pop3s,imap,imaps,submission,sieve,25,1025,465,587 logpath = %(exim_main_log)s
I have also added a REGEX into /etc/fail2ban/filter.d/exim.conf
^%(pid)s.* [<HOST>] rejected EHLO or HELO
to match entries like:
2019-04-26 15:44:13 H=(User) [102.165.49.64] rejected EHLO or HELO user: Your server with the IP 102.165.49.64 is with helo name (User) configured incorrectly. Email has been blocked. (HELO Error)
The HELO message seem to have stopped appearing in the logs, so it looks like that is working. However, the original Dovecot authentication errors are still appearing in exim/main.log
[root@ollie2 ~]# fail2ban-client status dovecot Status for the jail: dovecot |- Filter | |- Currently failed: 2 | |- Total failed: 180 | `- Journal matches: _SYSTEMD_UNIT=dovecot.service `- Actions |- Currently banned: 41 |- Total banned: 41 `- Banned IP list: 106.226.231.159 113.120.142.149 113.120.143.41 114.106.134.228 114.238.30.180 116.91.166.50 117.24.39.199 117.29.90.228 117.31.46.4 117.60.247.84 119.127.17.82 120.43.54.45 121.233.206.62 121.237.56.154 122.7.227.53 14.29.161.224 140.224.60.165 140.224.61.88 141.98.80.32 180.146.128.112 183.135.168.89 185.211.245.198 185.222.209.56 185.222.209.71 185.234.217.160 185.234.217.162 185.234.217.221 185.36.81.165 188.165.238.157 203.2.118.130 209.166.164.71 210.6.94.23 211.72.92.124 27.156.139.95 27.156.176.146 41.164.192.74 45.227.253.100 45.227.253.99 46.232.112.21 49.87.109.233 52.38.234.254 [root@ollie2 ~]# fail2ban-client status exim Status for the jail: exim |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- Journal matches: `- Actions |- Currently banned: 4 |- Total banned: 4 `- Banned IP list: 103.114.104.149 185.222.209.71 185.234.217.160 85.222.209.56 [root@ollie2 ~]# ipset list Name: fail2ban-sshd Type: hash:ip Revision: 4 Header: family inet hashsize 1024 maxelem 65536 timeout 3600000 Size in memory: 120 References: 0 Number of entries: 0 Members:
Name: fail2ban-dovecot Type: hash:ip Revision: 4 Header: family inet hashsize 1024 maxelem 65536 timeout 3600000 Size in memory: 3864 References: 0 Number of entries: 41 Members: 185.222.209.56 timeout 4291085 185.234.217.162 timeout 4291086 114.106.134.228 timeout 4291075 45.227.253.100 timeout 4291094 188.165.238.157 timeout 4291088 203.2.118.130 timeout 4291088 140.224.60.165 timeout 4291082 141.98.80.32 timeout 4291083 183.135.168.89 timeout 4291084 27.156.176.146 timeout 4291092 46.232.112.21 timeout 4291096 113.120.143.41 timeout 4291074 113.120.142.149 timeout 4291073 117.29.90.228 timeout 4291077 185.222.209.71 timeout 4291085 185.234.217.221 timeout 4291087 117.31.46.4 timeout 4291078 49.87.109.233 timeout 4291097 41.164.192.74 timeout 4291092 121.237.56.154 timeout 4291080 14.29.161.224 timeout 4291081 117.24.39.199 timeout 4291077 120.43.54.45 timeout 4291079 185.36.81.165 timeout 4291087 140.224.61.88 timeout 4291083 210.6.94.23 timeout 4291090 114.238.30.180 timeout 4291076 116.91.166.50 timeout 4291076 106.226.231.159 timeout 4291067 27.156.139.95 timeout 4291091 52.38.234.254 timeout 4291098 122.7.227.53 timeout 4291081 117.60.247.84 timeout 4291078 209.166.164.71 timeout 4291089 185.211.245.198 timeout 4291085 180.146.128.112 timeout 4291084 185.234.217.160 timeout 4291086 211.72.92.124 timeout 4291090 121.233.206.62 timeout 4291080 45.227.253.99 timeout 4291095 119.127.17.82 timeout 4291079
Name: fail2ban-exim Type: hash:ip Revision: 4 Header: family inet hashsize 1024 maxelem 65536 timeout 3600000 Size in memory: 504 References: 0 Number of entries: 4 Members: 185.234.217.160 timeout 4291074 185.222.209.71 timeout 4291073 85.222.209.56 timeout 4291075 103.114.104.149 timeout 4291067 [root@ollie2 ~]#