I set up a simple mailserver a while back using dovecot (no it's not vulnerable to the passdb TAB issue, funny as that one is), but had a hell of a time getting the right regex and setup for fail2ban, most examples are for using the default auth pam passdb system rather than an sql authentication back-end.
Here's the jail.conf setup, the magic here is the "iptables-multiport" which is a target that must available from the netfilter kernel modules to work.
[dovecot]
enabled = true
filter = dovecot
action = iptables-multiport[name=dovecot, port="110,995,143,993", protocol=tcp]
sendmail-whois[name=dovecot, dest=root@mydomain.tld, sender=fail2ban@mydomain.tld]
logpath = /var/log/maillog
As for the filter.d match, here is the fancy regex for a unknown user:
dovecot.*auth-worker\(default\): sql\(.*,<HOST>\): unknown user
and for password failure:
dovecot.*auth-worker\(default\): sql\(.*,<HOST>\): Password mismatch
Next step is to write one that detects people trying to use that TAB exploit, even though it doesn't work on this setup I just really don't like people trying.
thank you for help on fail2ban with dovecot.
ReplyDeletealso you need to set auth_verbose=yes in dovecot.conf
dalius
you're welcome, and yes that's a good point. auth_verbose needs to be in dovecot set in order to get the necessary log entries for fail2ban to catch, thanks for pointing that out.
ReplyDelete