I have been thinking about clients being banned out of the mail server because of a misconfigured device in a small office of 10 users.
The idea is to add to ignoreip the successful login IPs so they don’t get banned in 14400 seconds.
I successfully implemented the solution. I hope this helps.
I have followed this manual: Using a Fail2Ban Jail to Whitelist a User < System | The Art of Web
-
Edit /etc/fail2ban/jail.local and add:
[dovecot-whitelist]
enabled = true
filter = dovecot-whitelist
logpath = /var/log/dovecot.log
maxretry = 0
bantime = 14400
action = ignoreip[name=WHITELIST] -
Create
[INCLUDES]
before = common.conf
[Definition]
_auth_worker = (?:dovecot: )?auth(?:-worker)?
_daemon = (?:dovecot(?:-auth)?|auth)
failregex = ^.(?:pop3|imap)-login: Info: Login:.rip=.\s$
ignoreregex = ^authentication failure; logname=\S uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=(?:\s+user=\S*)?\s*$
^(?:Aborted login|Disconnected)(?::(?: [^ (]+)+)? ((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth)):(?: user=<[^>]>,)?(?: method=\S+,)
^pam(\S+,(?:,\S)?): pam_authenticate() failed: (?:User not known to the underlying authentication module: \d+ Time(s)|Authentication failure (password mismatch?)|Permi
^[a-z-]{3,15}(\S*,(?:,\S*)?): (?:unknown user|invalid credentials)\s*$
journalmatch = _SYSTEMD_UNIT=dovecot.service
datepattern = {^LN-BEG}TAI64N
{^LN-BEG} -
create /etc/fail2ban/action.d/ignoreip.conf
[Definition]
actionstart =
actionstop =
actioncheck = iptables -n -L | grep -q ‘f2b-[ \t]’
actionban = fail2ban-client set addignoreip
actionunban = fail2ban-client set delignoreip
[Init]
name = default
chain = INPUT
@eris if I submit this as a Pull Request will it get included?