On Friday 19 April 2019 15:19:26 Pete Biggs wrote: > > I've added a fail regex to /etc/fail2ban/filter.d/exim.conf as suggested > > on another page: > > The standard exim.conf already has a 535 filter. Was that not working > for you? I was following the instructions as shown on the page. I did find after sending my post that there was already a regex in the standard file, so should be able to remove the one I added. However, the regex part doesn't seem to be the problem as the actions are being correctly triggered. > > \[<HOST>\]: 535 Incorrect authentication data > > > > which appears to be successfully matchnig lines in /var/log/exim/mail.log > > such as > > > > 2019-04-19 13:06:10 dovecot_plain authenticator failed for > > ([185.222.209.71]) [185.222.209.71]: 535 Incorrect authentication data > > Just to check - you are authenticating against dovecot for SMTP within > exim (and it's not that dovecot authentication is getting mixed up with > the exim logs)? This is correct. I am using Dovecot to authenticate the SMTP users. The errors are being logged in /var/log/exim/main.log and not in /var/log/dovecot.log or /var/log/maillog > > > /var/log/fail2ban.log, and the generarted emails all say that the regex > > is working and the IP addresses are getting banned. > > > > 2019-04-19 13:06:32,461 fail2ban.filter [21954]: INFO > > [dovecot] Found 45.227.253.99 > > 2019-04-19 13:06:32,607 fail2ban.actions [21954]: NOTICE > > [dovecot] Ban 45.227.253.99 > > 2019-04-19 13:06:32,954 fail2ban.filter [21954]: INFO > > [dovecot] Found 45.227.253.99 > > 2019-04-19 13:06:36,664 fail2ban.filter [21954]: INFO > > [dovecot] Found 185.222.209.71 > > 2019-04-19 13:07:16,973 fail2ban.actions [21954]: NOTICE > > [dovecot] Unban 185.211.245.198 > > 2019-04-19 13:07:42,108 fail2ban.actions [21954]: NOTICE > > [dovecot] Unban 185.234.217.221 > > 2019-04-19 13:08:06,475 fail2ban.filter [21954]: INFO > > [dovecot] Found 141.98.80.32 > > 2019-04-19 13:08:11,299 fail2ban.filter [21954]: INFO > > [dovecot] Found 185.234.217.162 > > 2019-04-19 13:08:12,249 fail2ban.actions [21954]: NOTICE > > [dovecot] Ban 185.234.217.162 > > 2019-04-19 13:08:16,803 fail2ban.filter [21954]: INFO > > [dovecot] Found 141.98.80.32 > > 2019-04-19 13:08:22,092 fail2ban.filter [21954]: INFO > > [dovecot] Found 185.234.217.221 > > 2019-04-19 13:09:18,178 fail2ban.filter [21954]: INFO > > [dovecot] Found 185.211.245.198 > > 2019-04-19 13:09:30,522 fail2ban.filter [21954]: INFO > > [dovecot] Found 185.211.245.198 > > 2019-04-19 13:09:30,752 fail2ban.actions [21954]: NOTICE > > [dovecot] Ban 185.211.245.198 > > 2019-04-19 13:10:48,248 fail2ban.filter [21954]: INFO > > [dovecot] Found 185.211.245.198 > > It would be much, much easier to read if you didn't wrap the log lines > - I've unwrapped them for you: (I didn't wrap them, my mail client did. Sorry) > > 2019-04-19 13:06:32,461 fail2ban.filter [21954]: INFO [dovecot] > Found 45.227.253.99 2019-04-19 13:06:32,607 fail2ban.actions > [21954]: NOTICE [dovecot] Ban 45.227.253.99 2019-04-19 13:06:32,954 > fail2ban.filter [21954]: INFO [dovecot] Found 45.227.253.99 > 2019-04-19 13:06:36,664 fail2ban.filter [21954]: INFO [dovecot] > Found 185.222.209.71 2019-04-19 13:07:16,973 fail2ban.actions > [21954]: NOTICE [dovecot] Unban 185.211.245.198 2019-04-19 13:07:42,108 > fail2ban.actions [21954]: NOTICE [dovecot] Unban 185.234.217.221 > 2019-04-19 13:08:06,475 fail2ban.filter [21954]: INFO [dovecot] > Found 141.98.80.32 2019-04-19 13:08:11,299 fail2ban.filter [21954]: > INFO [dovecot] Found 185.234.217.162 2019-04-19 13:08:12,249 > fail2ban.actions [21954]: NOTICE [dovecot] Ban 185.234.217.162 > 2019-04-19 13:08:16,803 fail2ban.filter [21954]: INFO [dovecot] > Found 141.98.80.32 2019-04-19 13:08:22,092 fail2ban.filter [21954]: > INFO [dovecot] Found 185.234.217.221 2019-04-19 13:09:18,178 > fail2ban.filter [21954]: INFO [dovecot] Found 185.211.245.198 > 2019-04-19 13:09:30,522 fail2ban.filter [21954]: INFO [dovecot] > Found 185.211.245.198 2019-04-19 13:09:30,752 fail2ban.actions > [21954]: NOTICE [dovecot] Ban 185.211.245.198 2019-04-19 13:10:48,248 > fail2ban.filter [21954]: INFO [dovecot] Found 185.211.245.198 > > > However, once an IP address is banned, it continues to appear > > in /var/log/exim/main.log which would imply that the ban action is not > > working. > > Only for one more attempt - I presume your ban action is to modify the > firewall, but the firewall doesn't stop established connections, so as > long as the remote host has an open TCP connection it can continue to > attempt to login. If your authenticator drops the connection after 3 > attempts and Fail2Ban blocks after 2 failed attempts you will see what > you've got. The event that triggers the ban does complete as normal, which is what I would expect as the ban is triggered by the log entry which is *after* the failed attempt. However, after the /var/log/fail2ban.log showed the IP as banned, I continue to see entries in /var/log/exim/main.log > > > (Also, I don't understand why it's matching against dovecont ewhen the > > regex is in exim.conf) > > Because the log line says dovecot - the actual name of the .conf file > is irrelevant and nowhere in the filter config files does it mention > [exim] explicitly (or any other section). The section is determined > from the log line using the filters. I did wonder that, but had initially assumed that the it took it from the module / target.