On Friday 19 April 2019 15:19:26 Pete Biggs wrote:
I've added a fail regex to /etc/fail2ban/filter.d/exim.conf as suggested on another page:
The standard exim.conf already has a 535 filter. Was that not working for you?
I was following the instructions as shown on the page. I did find after sending my post that there was already a regex in the standard file, so should be able to remove the one I added. However, the regex part doesn't seem to be the problem as the actions are being correctly triggered.
\[<HOST>\]: 535 Incorrect authentication datawhich appears to be successfully matchnig lines in /var/log/exim/mail.log such as
2019-04-19 13:06:10 dovecot_plain authenticator failed for ([185.222.209.71]) [185.222.209.71]: 535 Incorrect authentication data
Just to check - you are authenticating against dovecot for SMTP within exim (and it's not that dovecot authentication is getting mixed up with the exim logs)?
This is correct. I am using Dovecot to authenticate the SMTP users. The errors are being logged in /var/log/exim/main.log and not in /var/log/dovecot.log or /var/log/maillog
/var/log/fail2ban.log, and the generarted emails all say that the regex is working and the IP addresses are getting banned.
2019-04-19 13:06:32,461 fail2ban.filter [21954]: INFO [dovecot] Found 45.227.253.99 2019-04-19 13:06:32,607 fail2ban.actions [21954]: NOTICE [dovecot] Ban 45.227.253.99 2019-04-19 13:06:32,954 fail2ban.filter [21954]: INFO [dovecot] Found 45.227.253.99 2019-04-19 13:06:36,664 fail2ban.filter [21954]: INFO [dovecot] Found 185.222.209.71 2019-04-19 13:07:16,973 fail2ban.actions [21954]: NOTICE [dovecot] Unban 185.211.245.198 2019-04-19 13:07:42,108 fail2ban.actions [21954]: NOTICE [dovecot] Unban 185.234.217.221 2019-04-19 13:08:06,475 fail2ban.filter [21954]: INFO [dovecot] Found 141.98.80.32 2019-04-19 13:08:11,299 fail2ban.filter [21954]: INFO [dovecot] Found 185.234.217.162 2019-04-19 13:08:12,249 fail2ban.actions [21954]: NOTICE [dovecot] Ban 185.234.217.162 2019-04-19 13:08:16,803 fail2ban.filter [21954]: INFO [dovecot] Found 141.98.80.32 2019-04-19 13:08:22,092 fail2ban.filter [21954]: INFO [dovecot] Found 185.234.217.221 2019-04-19 13:09:18,178 fail2ban.filter [21954]: INFO [dovecot] Found 185.211.245.198 2019-04-19 13:09:30,522 fail2ban.filter [21954]: INFO [dovecot] Found 185.211.245.198 2019-04-19 13:09:30,752 fail2ban.actions [21954]: NOTICE [dovecot] Ban 185.211.245.198 2019-04-19 13:10:48,248 fail2ban.filter [21954]: INFO [dovecot] Found 185.211.245.198
It would be much, much easier to read if you didn't wrap the log lines
- I've unwrapped them for you:
(I didn't wrap them, my mail client did. Sorry)
2019-04-19 13:06:32,461 fail2ban.filter [21954]: INFO [dovecot] Found 45.227.253.99 2019-04-19 13:06:32,607 fail2ban.actions [21954]: NOTICE [dovecot] Ban 45.227.253.99 2019-04-19 13:06:32,954 fail2ban.filter [21954]: INFO [dovecot] Found 45.227.253.99 2019-04-19 13:06:36,664 fail2ban.filter [21954]: INFO [dovecot] Found 185.222.209.71 2019-04-19 13:07:16,973 fail2ban.actions [21954]: NOTICE [dovecot] Unban 185.211.245.198 2019-04-19 13:07:42,108 fail2ban.actions [21954]: NOTICE [dovecot] Unban 185.234.217.221 2019-04-19 13:08:06,475 fail2ban.filter [21954]: INFO [dovecot] Found 141.98.80.32 2019-04-19 13:08:11,299 fail2ban.filter [21954]: INFO [dovecot] Found 185.234.217.162 2019-04-19 13:08:12,249 fail2ban.actions [21954]: NOTICE [dovecot] Ban 185.234.217.162 2019-04-19 13:08:16,803 fail2ban.filter [21954]: INFO [dovecot] Found 141.98.80.32 2019-04-19 13:08:22,092 fail2ban.filter [21954]: INFO [dovecot] Found 185.234.217.221 2019-04-19 13:09:18,178 fail2ban.filter [21954]: INFO [dovecot] Found 185.211.245.198 2019-04-19 13:09:30,522 fail2ban.filter [21954]: INFO [dovecot] Found 185.211.245.198 2019-04-19 13:09:30,752 fail2ban.actions [21954]: NOTICE [dovecot] Ban 185.211.245.198 2019-04-19 13:10:48,248 fail2ban.filter [21954]: INFO [dovecot] Found 185.211.245.198
However, once an IP address is banned, it continues to appear in /var/log/exim/main.log which would imply that the ban action is not working.
Only for one more attempt - I presume your ban action is to modify the firewall, but the firewall doesn't stop established connections, so as long as the remote host has an open TCP connection it can continue to attempt to login. If your authenticator drops the connection after 3 attempts and Fail2Ban blocks after 2 failed attempts you will see what you've got.
The event that triggers the ban does complete as normal, which is what I would expect as the ban is triggered by the log entry which is *after* the failed attempt.
However, after the /var/log/fail2ban.log showed the IP as banned, I continue to see entries in /var/log/exim/main.log
(Also, I don't understand why it's matching against dovecont ewhen the
regex is in exim.conf)
Because the log line says dovecot - the actual name of the .conf file is irrelevant and nowhere in the filter config files does it mention [exim] explicitly (or any other section). The section is determined from the log line using the filters.
I did wonder that, but had initially assumed that the it took it from the module / target.