I noticed that some IPs are trying to connect to my IMAP/SMTP server (SASL) many times but in a larger time frame than the usual 5-15 minutes window, so I decided to have two jails for these services : one jail for the small time frame that will look for 3 failures in 5 minutes and one for the large time frame (a day) that would look for 10 failures. Here's my jail.local, in particular see dovecot and dovecot-long
Code: Select all
root@messagerie[10.10.10.19] ~ # cat /etc/fail2ban/jail.local
[DEFAULT]
action = shorewall
ignoreip = 127.0.0.1/8 10.10.10.0/24 172.16.0.0/16 192.168.0.0/16
# ychaouche
# le default est à 10 minutes,
# je l'ai mis à 1 journée.
bantime = 86400
[postfix-sasl]
enabled = true
port = all
filter = postfix-sasl
#action = shorewall
logpath = /var/log/mail.warn
maxretry = 3
findtime = 600
[postfix]
enabled = true
port = all
filter = postfix
logpath = /var/log/mail.log
[dovecot]
enabled = true
port = all
filter = dovecot
logpath = /var/log/dovecot.log
[dovecot-long]
findtime = 86400
maxretries = 10
# 5 days
bantime = 432000
enabled = true
port = all
filter = dovecot
logpath = /var/log/dovecot.log
[ssh]
port = all
root@messagerie[10.10.10.19] ~ #
Code: Select all
[DEFAULT]
ignoreip = 127.0.0.1/8
ignorecommand =
bantime = 600
findtime = 600
maxretry = 3
What I have found out is that fail2ban is banning some IPs that have less than the required maxretries (10), for example this IP
Code: Select all
root@messagerie[10.10.10.19] ~ # grep 113.195.181.126 /var/log/fail2ban.log
2017-08-23 15:33:54,153 fail2ban.actions[10631]: WARNING [dovecot-long] Ban 113.195.181.126
2017-08-23 15:40:04,878 fail2ban.actions[10631]: WARNING [dovecot-long] Unban 113.195.181.126
2017-08-23 15:58:59,699 fail2ban.actions[10631]: WARNING [dovecot-long] Ban 113.195.181.126
root@messagerie[10.10.10.19] ~ #
Code: Select all
root@messagerie[10.10.10.19] ~ # grep auth.failed.*113.195.181.126 /var/log/dovecot.log
Jul 30 16:33:13 imap-login: Info: Disconnected (auth failed, 1 attempts in 7 secs): user=<blank_control@mydomain.tld>, method=PLAIN, rip=113.195.181.126, lip=10.10.10.19, TLS, session=<cUp2oYpVVwBxw7V+>
Aug 20 09:32:41 imap-login: Info: Disconnected (auth failed, 1 attempts in 6 secs): user=<blanc_antenne@mydomain.tld>, method=PLAIN, rip=113.195.181.126, lip=10.10.10.19, TLS, session=<Op07NCtXaABxw7V+>
Aug 22 16:39:48 imap-login: Info: Disconnected (auth failed, 1 attempts in 7 secs): user=<blanc_antenne@mydomain.tld>, method=PLAIN, rip=113.195.181.126, lip=10.10.10.19, TLS: Disconnected, session=<nZ5jZ1lXiwBxw7V+>
Aug 22 19:37:28 imap-login: Info: Disconnected (auth failed, 1 attempts in 7 secs): user=<a.chaouche>, method=PLAIN, rip=113.195.181.126, lip=10.10.10.19, TLS, session=<ilDF4ltX4gBxw7V+>
Aug 23 01:19:30 imap-login: Info: Disconnected (auth failed, 1 attempts in 7 secs): user=<aine3>, method=PLAIN, rip=113.195.181.126, lip=10.10.10.19, TLS: Disconnected, session=<WTL7qWBXzgBxw7V+>
root@messagerie[10.10.10.19] ~ # grep auth.failed.*113.195.181.126 /var/log/dovecot.log | wc -l
5
root@messagerie[10.10.10.19] ~ #
Code: Select all
root@messagerie[10.10.10.19] ~ # grep 113.195.181.126 /var/log/dovecot.log
Jul 30 16:33:13 imap-login: Info: Disconnected (auth failed, 1 attempts in 7 secs): user=<blank_control@mydomain.tld>, method=PLAIN, rip=113.195.181.126, lip=10.10.10.19, TLS, session=<cUp2oYpVVwBxw7V+>
Aug 20 09:32:41 imap-login: Info: Disconnected (auth failed, 1 attempts in 6 secs): user=<blanc_antenne@mydomain.tld>, method=PLAIN, rip=113.195.181.126, lip=10.10.10.19, TLS, session=<Op07NCtXaABxw7V+>
Aug 22 16:39:41 auth: Debug: client in: AUTH 1 PLAIN service=imap secured session=nZ5jZ1lXiwBxw7V+ lip=10.10.10.19 rip=113.195.181.126 lport=993 rport=24715
Aug 22 16:39:44 auth-worker(10354): Debug: sql(blanc_antenne@mydomain.tld,113.195.181.126): query: SELECT email as user, password FROM users WHERE email = LOWER('blanc_antenne@mydomain.tld')
Aug 22 16:39:44 auth-worker(10354): Info: sql(blanc_antenne@mydomain.tld,113.195.181.126): unknown user
Aug 22 16:39:48 imap-login: Info: Disconnected (auth failed, 1 attempts in 7 secs): user=<blanc_antenne@mydomain.tld>, method=PLAIN, rip=113.195.181.126, lip=10.10.10.19, TLS: Disconnected, session=<nZ5jZ1lXiwBxw7V+>
Aug 22 19:37:21 auth: Debug: client in: AUTH 1 PLAIN service=imap secured session=ilDF4ltX4gBxw7V+ lip=10.10.10.19 rip=113.195.181.126 lport=993 rport=22498
Aug 22 19:37:24 auth-worker(10354): Debug: sql(a.chaouche,113.195.181.126): query: SELECT email as user, password FROM users WHERE email = LOWER('a.chaouche')
Aug 22 19:37:24 auth-worker(10354): Info: sql(a.chaouche,113.195.181.126): unknown user
Aug 22 19:37:28 imap-login: Info: Disconnected (auth failed, 1 attempts in 7 secs): user=<a.chaouche>, method=PLAIN, rip=113.195.181.126, lip=10.10.10.19, TLS, session=<ilDF4ltX4gBxw7V+>
Aug 23 01:19:23 auth: Debug: client in: AUTH 1 PLAIN service=imap secured session=WTL7qWBXzgBxw7V+ lip=10.10.10.19 rip=113.195.181.126 lport=993 rport=50638
Aug 23 01:19:27 auth-worker(10354): Debug: sql(aine3,113.195.181.126): query: SELECT email as user, password FROM users WHERE email = LOWER('aine3')
Aug 23 01:19:27 auth-worker(10354): Info: sql(aine3,113.195.181.126): unknown user
Aug 23 01:19:30 imap-login: Info: Disconnected (auth failed, 1 attempts in 7 secs): user=<aine3>, method=PLAIN, rip=113.195.181.126, lip=10.10.10.19, TLS: Disconnected, session=<WTL7qWBXzgBxw7V+>
root@messagerie[10.10.10.19] ~ #
Any idea on why fail2ban is doing this ?