Fail2ban dovecot-whitelist

I have been thinking about clients being banned out of the mail server because of a misconfigured device in a small office of 10 users.

The idea is to add to ignoreip the successful login IPs so they don’t get banned in 14400 seconds.

I successfully implemented the solution. I hope this helps.

I have followed this manual: Using a Fail2Ban Jail to Whitelist a User < System | The Art of Web

  1. Edit /etc/fail2ban/jail.local and add:
    enabled = true
    filter = dovecot-whitelist
    logpath = /var/log/dovecot.log
    maxretry = 0
    bantime = 14400
    action = ignoreip[name=WHITELIST]

  2. Create
    before = common.conf
    _auth_worker = (?:dovecot: )?auth(?:-worker)?
    _daemon = (?:dovecot(?:-auth)?|auth)
    failregex = ^.(?:pop3|imap)-login: Info:\s$
    ignoreregex = ^authentication failure; logname=\S
    uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=(?:\s+user=\S*)?\s*$
    ^(?:Aborted login|Disconnected)(?::(?: [^ (]+)+)? ((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth)):(?: user=<[^>]>,)?(?: method=\S+,)
    )?): pam_authenticate() failed: (?:User not known to the underlying authentication module: \d+ Time(s)|Authentication failure (password mismatch?)|Permi
    ^[a-z-]{3,15}(\S*,(?:,\S*)?): (?:unknown user|invalid credentials)\s*$
    journalmatch = _SYSTEMD_UNIT=dovecot.service
    datepattern = {^LN-BEG}TAI64N

  3. create /etc/fail2ban/action.d/ignoreip.conf
    actionstart =
    actionstop =
    actioncheck = iptables -n -L | grep -q ‘f2b-[ \t]’
    actionban = fail2ban-client set addignoreip
    actionunban = fail2ban-client set delignoreip
    name = default
    chain = INPUT

@eris if I submit this as a Pull Request will it get included?


Please make a pull request. Please also include an upgrade script for current installs.

1 Like

This is the first time I try. Please be patient. :slight_smile:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.