1 Topic by SteveInAkron (edited by SteveInAkron 2016-12-12 13:24:08)

  • SteveInAkron
  • Member
  • Offline
  • Registered: 2016-01-07
  • Posts: 47

Topic: Possible change needed to fail2ban filter

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.2
- Linux/BSD distribution name and version: Ubuntu 14.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx):Nginx
- Manage mail accounts with iRedAdmin-Pro? Yes, v2.1.3 (MySQL)
====

The filter dovecot.iredmail.conf is missing the "auth failed" login attempts.

The current filter is:
--------
[Definition]
failregex = Authentication failure.* rip=<HOST>
            Aborted login \(no auth attempts in .* rip=<HOST>
            Aborted login \(auth failed, .* rip=<HOST>
            Aborted login \(tried to use disallowed .* rip=<HOST>
            Aborted login \(tried to use disabled .* rip=<HOST>

ignoreregex =
---------

The line

            Aborted login \(auth failed, .* rip=<HOST>

needs to be

            (?:Aborted|Disconnected) \(auth failed, .* rip=<HOST>

to catch attempts. I didn't see it in the the change log. Sorry if it's been taken care of in the later versions.

EDIT: probably should do the same to the "no auth attempts" regular expression as well.

Like (?:Aborted login|Disconnected)

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Possible change needed to fail2ban filter

Thanks for the feedback, could you please show us some original log lines?

3 Reply by SteveInAkron

  • SteveInAkron
  • Member
  • Offline
  • Registered: 2016-01-07
  • Posts: 47

Re: Possible change needed to fail2ban filter

lip and email address munged. I do not have any 'Aborted' type records in the current log file.

Dec 11 12:15:11 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<gls@example.net>, method=PLAIN, rip=212.8.246.222, lip=10.11.12.13, TLS: Disconnected, session=<YQ8SIWVDewDUCPbe>
Dec 11 12:23:27 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<gls@example.net>, method=PLAIN, rip=212.8.246.222, lip=10.11.12.13, TLS: Disconnected, session=<3t+lPmVDGQDUCPbe>
Dec 11 12:23:37 imap-login: Info: Disconnected (auth failed, 1 attempts in 6 secs): user=<gls@example.net>, method=PLAIN, rip=212.8.246.222, lip=10.11.12.13, TLS: Disconnected, session=<0QwFP2VDzQDUCPbe>
Dec 11 12:24:39 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<gls@example.net>, method=PLAIN, rip=212.8.246.222, lip=10.11.12.13, TLS: Disconnected, session=<eCfyQmVDaQDUCPbe>
Dec 11 12:25:17 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<gls@example.net>, method=PLAIN, rip=212.8.246.222, lip=10.11.12.13, TLS: Disconnected, session=<MgE7RWVDIADUCPbe>
Dec 11 15:35:03 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<info@example.net>, method=PLAIN, rip=212.8.246.222, lip=10.11.12.13, TLS: Disconnected, session=<e7/h62dDOgDUCPbe>
Dec 11 15:40:20 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<info@example.net>, method=PLAIN, rip=212.8.246.222, lip=10.11.12.13, TLS: Disconnected, session=<DYDC/mdDdADUCPbe>
Dec 11 15:57:14 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<admin@example.net>, method=PLAIN, rip=212.8.246.222, lip=10.11.12.13, TLS: Disconnected, session=<xtg1O2hDOQDUCPbe>
Dec 11 16:11:26 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<help@example.net>, method=PLAIN, rip=212.8.246.222, lip=10.11.12.13, TLS: Disconnected, session=<w1r6bWhDlwDUCPbe>
Dec 11 16:11:30 imap-login: Info: Disconnected (auth failed, 1 attempts in 6 secs): user=<billing@example.net>, method=PLAIN, rip=212.8.246.222, lip=10.11.12.13, TLS: Disconnected, session=<RT8AbmhDpgDUCPbe>
Dec 11 16:34:15 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<support@example.net>, method=PLAIN, rip=212.8.246.222, lip=10.11.12.13, TLS: Disconnected, session=<0zOYv2hDkQDUCPbe>
Dec 11 16:49:41 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<admin@example.net>, method=PLAIN, rip=212.8.246.222, lip=10.11.12.13, TLS: Disconnected, session=<xxfH9mhDwgDUCPbe>
Dec 12 07:14:46 pop3-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=24.179.33.93, lip=10.11.12.13, session=<wf+uDHVDlAAYsyFd>
Dec 12 07:14:46 pop3-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=24.179.33.93, lip=10.11.12.13, session=<QoewDHVDlgAYsyFd>
Dec 12 07:14:46 pop3-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=24.179.33.93, lip=10.11.12.13, session=<x2GyDHVDlwAYsyFd>
Dec 12 07:29:09 pop3-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=24.179.33.93, lip=10.11.12.13, session=<U3gfQHVDpQAYsyFd>
Dec 12 07:29:09 pop3-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=24.179.33.93, lip=10.11.12.13, session=<Ve8gQHVDqAAYsyFd>
Dec 12 07:29:09 pop3-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=24.179.33.93, lip=10.11.12.13, session=<n+MiQHVDqQAYsyFd>

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Possible change needed to fail2ban filter

Committed:
https://bitbucket.org/zhb/iredmail/comm … 037b30a899

5 Reply by SteveInAkron

  • SteveInAkron
  • Member
  • Offline
  • Registered: 2016-01-07
  • Posts: 47

Re: Possible change needed to fail2ban filter

This is what I have, and it seems to be working. It think the "Aborted" and the "Aborted login" are mixed up.

[Definition]
failregex = Authentication failure.* rip=<HOST>
            (Aborted login|Disconnected) \(no auth attempts in .* rip=<HOST>
            (Aborted|Disconnected) \(auth failed, .* rip=<HOST>
            Aborted login \(tried to use disallowed .* rip=<HOST>
            Aborted login \(tried to use disabled .* rip=<HOST>

ignoreregex =

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Possible change needed to fail2ban filter

SteveInAkron wrote:

            (Aborted login|Disconnected) \(no auth attempts in .* rip=<HOST>

Your rule will block "Disconnected (no auth attempts ...", i'm afraid this might be too strict and will block some MUAs. Did you have any block caught by this rule? Any false alarm?

7 Reply by SteveInAkron (edited by SteveInAkron 2016-12-13 21:15:08)

  • SteveInAkron
  • Member
  • Offline
  • Registered: 2016-01-07
  • Posts: 47

Re: Possible change needed to fail2ban filter

Here are the two log files. First is the fail2ban.log entries for dovecot bans. Second is the dovecot.log entries relating to the banned IP addresses.

Nothing was caught recently from the Disconnected portion. If I had used "Disconnected: Inactivity" I would probably have had a lot of false alarms. I'll try the "Disconnected: Inactivity" with fail2ban-regex, and see.

EDIT: If I add the Inactivity portion, It catches a lot of mobile phone users. Too restrictive to use.

2016-12-11 15:17:10,419 fail2ban.actions: WARNING [dovecot-iredmail] Ban 97.34.65.162
2016-12-11 16:37:36,782 fail2ban.actions: WARNING [dovecot-iredmail] Ban 70.194.225.115
2016-12-11 16:49:20,651 fail2ban.actions: WARNING [dovecot-iredmail] Ban 66.219.150.159
2016-12-12 00:30:48,581 fail2ban.actions: WARNING [dovecot-iredmail] Ban 108.81.218.13
2016-12-12 06:59:46,449 fail2ban.actions: WARNING [dovecot-iredmail] Ban 37.49.226.107
2016-12-12 07:28:12,679 fail2ban.actions: WARNING [dovecot-iredmail] Ban 70.194.224.246
2016-12-12 08:15:18,082 fail2ban.actions: WARNING [dovecot-iredmail] Ban 96.11.55.114
2016-12-12 10:13:37,670 fail2ban.actions: WARNING [dovecot-iredmail] Ban 97.46.195.20
2016-12-12 16:40:04,911 fail2ban.actions: WARNING [dovecot-iredmail] Ban 97.46.193.50
2016-12-13 01:11:41,913 fail2ban.actions: WARNING [dovecot-iredmail] Ban 108.81.218.13

Dec 11 08:00:04 imap-login: Info: Aborted login (no auth attempts in 0 secs): user=<>, rip=97.34.65.162, lip=10.11.12.13, session=<Y+vekGFDLQBhIkGi>
Dec 11 10:06:46 imap-login: Info: Aborted login (no auth attempts in 0 secs): user=<>, rip=97.34.65.162, lip=10.11.12.13, session=<qtfvVWNDKQBhIkGi>
Dec 11 10:07:01 imap-login: Info: Aborted login (no auth attempts in 0 secs): user=<>, rip=97.34.65.162, lip=10.11.12.13, session=<71jUVmNDLABhIkGi>
Dec 11 10:15:54 imap-login: Info: Aborted login (no auth attempts in 1 secs): user=<>, rip=97.34.65.162, lip=10.11.12.13, session=<N3WXdmNDJQBhIkGi>
Dec 11 10:16:20 imap-login: Info: Aborted login (no auth attempts in 0 secs): user=<>, rip=97.34.65.162, lip=10.11.12.13, session=<4OgteGND1ABhIkGi>
Dec 11 13:11:03 imap-login: Info: Aborted login (no auth attempts in 0 secs): user=<>, rip=97.34.65.162, lip=10.11.12.13, session=<ip4A6WVDMgBhIkGi>
Dec 11 13:11:12 imap-login: Info: Aborted login (no auth attempts in 0 secs): user=<>, rip=97.34.65.162, lip=10.11.12.13, session=</XOM6WVDIABhIkGi>
Dec 11 14:44:42 imap-login: Info: Aborted login (no auth attempts in 0 secs): user=<>, rip=97.34.65.162, lip=10.11.12.13, session=<fvvtN2dDMwBhIkGi>
Dec 11 14:44:56 imap-login: Info: Aborted login (no auth attempts in 0 secs): user=<>, rip=97.34.65.162, lip=10.11.12.13, session=<Qya+OGdDPABhIkGi>
Dec 11 14:54:13 imap-login: Info: Aborted login (no auth attempts in 0 secs): user=<>, rip=97.34.65.162, lip=10.11.12.13, session=<Afv1WWdDLABhIkGi>
Dec 11 14:54:24 imap-login: Info: Aborted login (no auth attempts in 0 secs): user=<>, rip=97.34.65.162, lip=10.11.12.13, session=<ysmfWmdDKwBhIkGi>
Dec 11 15:17:10 imap-login: Info: Aborted login (no auth attempts in 0 secs): user=<>, rip=97.34.65.162, lip=10.11.12.13, session=<vJwGrGdDLwBhIkGi>

Dec 11 16:34:19 imap-login: Info: Aborted login (no auth attempts in 0 secs): user=<>, rip=70.194.225.115, lip=10.11.12.13, session=<SVLvv2hDqABGwuFz>
Dec 11 16:34:19 imap-login: Info: Aborted login (no auth attempts in 0 secs): user=<>, rip=70.194.225.115, lip=10.11.12.13, session=<6Bfzv2hDqQBGwuFz>
Dec 11 16:34:19 imap-login: Info: Aborted login (no auth attempts in 0 secs): user=<>, rip=70.194.225.115, lip=10.11.12.13, session=<4I71v2hDoQBGwuFz>
Dec 11 16:34:19 imap-login: Info: Aborted login (no auth attempts in 0 secs): user=<>, rip=70.194.225.115, lip=10.11.12.13, session=<i9n3v2hDowBGwuFz>
Dec 11 16:37:35 imap-login: Info: Aborted login (no auth attempts in 0 secs): user=<>, rip=70.194.225.115, lip=10.11.12.13, session=<pqany2hDpwBGwuFz>
Dec 11 16:37:36 imap-login: Info: Aborted login (no auth attempts in 0 secs): user=<>, rip=70.194.225.115, lip=10.11.12.13, session=<Ilyry2hDqQBGwuFz>
Dec 11 16:37:36 imap-login: Info: Aborted login (no auth attempts in 0 secs): user=<>, rip=70.194.225.115, lip=10.11.12.13, session=<5xmxy2hDsABGwuFz>
Dec 11 16:40:36 imap-login: Info: Disconnected: Inactivity (no auth attempts in 180 secs): user=<>, rip=70.194.225.115, lip=10.11.12.13, session=<xG5v1mhDtgBGwuFz>

Dec 11 16:39:20 pop3-login: Info: Aborted login (tried to use disallowed plaintext auth): user=<>, rip=66.219.150.159, lip=10.11.12.13, session=<WFPe0WhD0ABC25af>
Dec 11 16:39:21 pop3-login: Info: Aborted login (tried to use disallowed plaintext auth): user=<>, rip=66.219.150.159, lip=10.11.12.13, session=<QODz0WhD0QBC25af>
Dec 11 16:44:20 pop3-login: Info: Aborted login (tried to use disallowed plaintext auth): user=<>, rip=66.219.150.159, lip=10.11.12.13, session=<owfH42hDvQBC25af>
Dec 11 16:44:22 pop3-login: Info: Aborted login (tried to use disallowed plaintext auth): user=<>, rip=66.219.150.159, lip=10.11.12.13, session=<Vzvo42hDyABC25af>
Dec 11 16:49:20 pop3-login: Info: Aborted login (tried to use disallowed plaintext auth): user=<>, rip=66.219.150.159, lip=10.11.12.13, session=<oJml9WhDRABC25af>

Dec 11 23:59:18 pop3-login: Info: Aborted login (tried to use disallowed plaintext auth): user=<>, rip=108.81.218.13, lip=10.11.12.13, session=<BcFO925DhQBsUdoN>
Dec 11 23:59:18 pop3-login: Info: Aborted login (tried to use disallowed plaintext auth): user=<>, rip=108.81.218.13, lip=10.11.12.13, session=<L0lV925DWwBsUdoN>
Dec 12 00:15:05 pop3-login: Info: Aborted login (tried to use disallowed plaintext auth): user=<>, rip=108.81.218.13, lip=10.11.12.13, session=<hrjGL29DswBsUdoN>
Dec 12 00:15:05 pop3-login: Info: Aborted login (tried to use disallowed plaintext auth): user=<>, rip=108.81.218.13, lip=10.11.12.13, session=<S9nLL29DgQBsUdoN>
Dec 12 00:30:47 pop3-login: Info: Aborted login (tried to use disallowed plaintext auth): user=<>, rip=108.81.218.13, lip=10.11.12.13, session=<WJDvZ29D3ABsUdoN>
Dec 12 00:30:48 pop3-login: Info: Aborted login (tried to use disallowed plaintext auth): user=<>, rip=108.81.218.13, lip=10.11.12.13, session=<MUT1Z29DJwBsUdoN>
Dec 13 00:41:34 pop3-login: Info: Aborted login (tried to use disallowed plaintext auth): user=<>, rip=108.81.218.13, lip=10.11.12.13, session=<yGhYrINDIwBsUdoN>
Dec 13 00:41:35 pop3-login: Info: Aborted login (tried to use disallowed plaintext auth): user=<>, rip=108.81.218.13, lip=10.11.12.13, session=<iHRcrINDuwBsUdoN>
Dec 13 00:56:40 pop3-login: Info: Aborted login (tried to use disallowed plaintext auth): user=<>, rip=108.81.218.13, lip=10.11.12.13, session=<rpJN4oNDWwBsUdoN>
Dec 13 00:56:40 pop3-login: Info: Aborted login (tried to use disallowed plaintext auth): user=<>, rip=108.81.218.13, lip=10.11.12.13, session=<C4NR4oND8ABsUdoN>
Dec 13 01:11:41 pop3-login: Info: Aborted login (tried to use disallowed plaintext auth): user=<>, rip=108.81.218.13, lip=10.11.12.13, session=<eOMDGIRDxgBsUdoN>
Dec 13 01:11:41 pop3-login: Info: Aborted login (tried to use disallowed plaintext auth): user=<>, rip=108.81.218.13, lip=10.11.12.13, session=<iD8NGIRDeABsUdoN>

Dec 12 06:59:44 pop3-login: Info: Aborted login (tried to use disallowed plaintext auth): user=<>, rip=37.49.226.107, lip=10.11.12.13, session=<jAvr1nRDLwAlMeJr>
Dec 12 06:59:44 pop3-login: Info: Aborted login (tried to use disallowed plaintext auth): user=<>, rip=37.49.226.107, lip=10.11.12.13, session=<4vTw1nRDlQAlMeJr>
Dec 12 06:59:45 pop3-login: Info: Aborted login (tried to use disallowed plaintext auth): user=<>, rip=37.49.226.107, lip=10.11.12.13, session=<ROb11nRDMwAlMeJr>
Dec 12 06:59:45 pop3-login: Info: Aborted login (tried to use disallowed plaintext auth): user=<>, rip=37.49.226.107, lip=10.11.12.13, session=<Dgn71nRDowAlMeJr>
Dec 12 06:59:45 pop3-login: Info: Aborted login (tried to use disallowed plaintext auth): user=<>, rip=37.49.226.107, lip=10.11.12.13, session=<poYA13RDUgAlMeJr>
Dec 12 06:59:46 pop3-login: Info: Aborted login (tried to use disallowed plaintext auth): user=<>, rip=37.49.226.107, lip=10.11.12.13, session=<CmIG13RD6QAlMeJr>
Dec 12 07:02:44 pop3-login: Info: Disconnected: Inactivity (no auth attempts in 180 secs): user=<>, rip=37.49.226.107, lip=10.11.12.13, session=<TjWi4XRDnAAlMeJr>

Dec 12 07:12:25 pop3-login: Info: Aborted login (tried to use disallowed plaintext auth): user=<>, rip=70.194.224.246, lip=10.11.12.13, session=<4JRKBHVD9QBGwuD2>
Dec 12 07:12:26 pop3-login: Info: Aborted login (tried to use disallowed plaintext auth): user=<>, rip=70.194.224.246, lip=10.11.12.13, session=<pOlQBHVD7gBGwuD2>
Dec 12 07:12:49 pop3-login: Info: Aborted login (tried to use disallowed plaintext auth): user=<>, rip=70.194.224.246, lip=10.11.12.13, session=<rGe5BXVD6ABGwuD2>
Dec 12 07:28:12 pop3-login: Info: Aborted login (tried to use disallowed plaintext auth): user=<>, rip=70.194.224.246, lip=10.11.12.13, session=<4oqyPHVD/wBGwuD2>
Dec 12 07:28:12 pop3-login: Info: Aborted login (tried to use disallowed plaintext auth): user=<>, rip=70.194.224.246, lip=10.11.12.13, session=<RPq5PHVD9QBGwuD2>

Dec 13 07:33:22 pop3-login: Info: Aborted login (tried to use disallowed plaintext auth): user=<>, rip=70.194.224.246, lip=10.11.12.13, session=<9qoJbYlD6ABGwuD2>
Dec 13 07:33:22 pop3-login: Info: Aborted login (tried to use disallowed plaintext auth): user=<>, rip=70.194.224.246, lip=10.11.12.13, session=<q/8QbYlD7QBGwuD2>

Dec 12 08:15:17 imap-login: Info: Aborted login (no auth attempts in 0 secs): user=<>, rip=96.11.55.114, lip=10.11.12.13, session=<Wbga5XVDnwBgCzdy>
Dec 12 08:15:17 imap-login: Info: Aborted login (no auth attempts in 0 secs): user=<>, rip=96.11.55.114, lip=10.11.12.13, session=<cQId5XVDXABgCzdy>
Dec 12 08:15:17 imap-login: Info: Aborted login (no auth attempts in 0 secs): user=<>, rip=96.11.55.114, lip=10.11.12.13, session=<1cge5XVD9gBgCzdy>
Dec 12 08:15:17 imap-login: Info: Aborted login (no auth attempts in 0 secs): user=<>, rip=96.11.55.114, lip=10.11.12.13, session=<52Ug5XVDTwBgCzdy>
Dec 12 08:15:18 imap-login: Info: Aborted login (no auth attempts in 1 secs): user=<>, rip=96.11.55.114, lip=10.11.12.13, session=<5mgi5XVDPwBgCzdy>

Dec 12 09:28:08 imap-login: Info: Aborted login (no auth attempts in 0 secs): user=<>, rip=97.46.195.20, lip=10.11.12.13, session=<nOao6XZDHABhLsMU>
Dec 12 09:28:11 imap-login: Info: Aborted login (no auth attempts in 0 secs): user=<>, rip=97.46.195.20, lip=10.11.12.13, session=<0qLP6XZDHQBhLsMU>
Dec 12 09:28:19 imap-login: Info: Aborted login (no auth attempts in 0 secs): user=<>, rip=97.46.195.20, lip=10.11.12.13, session=<mTVR6nZDFQBhLsMU>
Dec 12 10:13:17 imap-login: Info: Aborted login (no auth attempts in 0 secs): user=<>, rip=97.46.195.20, lip=10.11.12.13, session=<NjoVi3dDAABhLsMU>
Dec 12 10:13:37 imap-login: Info: Aborted login (no auth attempts in 1 secs): user=<>, rip=97.46.195.20, lip=10.11.12.13, session=<DqtGjHdDDABhLsMU>

Dec 12 15:55:53 imap-login: Info: Aborted login (no auth attempts in 0 secs): user=<>, rip=97.46.193.50, lip=10.11.12.13, session=<WwJXVHxD/wBhLsEy>
Dec 12 15:56:08 imap-login: Info: Aborted login (no auth attempts in 0 secs): user=<>, rip=97.46.193.50, lip=10.11.12.13, session=<brJAVXxDxQBhLsEy>
Dec 12 16:36:09 imap-login: Info: Aborted login (no auth attempts in 0 secs): user=<>, rip=97.46.193.50, lip=10.11.12.13, session=<T6lY5HxD8ABhLsEy>
Dec 12 16:36:20 imap-login: Info: Aborted login (no auth attempts in 0 secs): user=<>, rip=97.46.193.50, lip=10.11.12.13, session=<tIb/5HxD7ABhLsEy>
Dec 12 16:40:04 imap-login: Info: Aborted login (no auth attempts in 1 secs): user=<>, rip=97.46.193.50, lip=10.11.12.13, session=<mqdT8nxD8ABhLsEy>

8 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Possible change needed to fail2ban filter

SteveInAkron wrote:

Dec 11 16:40:36 imap-login: Info: Disconnected: Inactivity (no auth attempts in 180 secs): user=<>, rip=70.194.225.115, lip=10.11.12.13, session=<xG5v1mhDtgBGwuFz>

This is caused due to connected but no further IMAP directive, and just wait for time out.

Usually clients should perform further IMAP directives, but connected and timed out? Sounds like a bad boy, but cannot make sure it's a spam.

9 Reply by SteveInAkron (edited by SteveInAkron 2016-12-14 20:54:14)

  • SteveInAkron
  • Member
  • Offline
  • Registered: 2016-01-07
  • Posts: 47

Re: Possible change needed to fail2ban filter

ZhangHuangbin wrote:
SteveInAkron wrote:

Dec 11 16:40:36 imap-login: Info: Disconnected: Inactivity (no auth attempts in 180 secs): user=<>, rip=70.194.225.115, lip=10.11.12.13, session=<xG5v1mhDtgBGwuFz>

This is caused due to connected but no further IMAP directive, and just wait for time out.

Usually clients should perform further IMAP directives, but connected and timed out? Sounds like a bad boy, but cannot make sure it's a spam.

That one was a bad boy for sure, but he was already banned at that point. Not sure why is showed up in the connection log. I would have thought the firewall would have prevented all connections. Must be some lag time in the system.

2016-12-11 16:37:36,782 fail2ban.actions: WARNING [dovecot-iredmail] Ban 70.194.225.115

EDIT: Here is a file with "Disconnect:" that are not being caught from the current dovecot log. I know at least one is a customer.

I think I'm going to add a rule to catch "Disconnected: Too many invalid commands".

Post's attachments

Diconnect.txt 67.51 kb, 1 downloads since 2016-12-14 

You don't have the permssions to download the attachments of this post.

10 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Possible change needed to fail2ban filter

How about let's make it even simpler:

[Definition]
failregex = Authentication failure.* rip=<HOST>
            \(no auth attempts in .* rip=<HOST>
            \(auth failed.* rip=<HOST>
            \(tried to use disallowed .* rip=<HOST>
            \(tried to use disabled .* rip=<HOST>

ignoreregex =

Just track strings "no auth attempts in", "auth failed" ..., not "XXX (no auth attempts in" and "XXX (auth failed ...".

11 Reply by SteveInAkron

  • SteveInAkron
  • Member
  • Offline
  • Registered: 2016-01-07
  • Posts: 47

Re: Possible change needed to fail2ban filter

Has some time this weekend to play tweak this some. I tried the simplified strings only with fail2ban-regex, and it caught a few legit cell phone users. It only seems to be affecting Verizon users though. The error looks like:

pop3-login: Info: Disconnected: Inactivity (no auth attempts in 180 secs): user=<>, rip=44.55.66.77, lip=10.11.12.13, TLS handshaking, session=<7D8POWVDhACu7o9N>

Some of the IPs in the dovecot.log file have legitimate logins in the mail.log file.

12 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Possible change needed to fail2ban filter

Sometimes a well-configured MUA still triggers some failure (not just 'auth failed'). I had this issue with macOS Mail.app.