Help with fail2ban

Hello!
I’m in the /va/log/dovecot.log section.
I see constant attempts to log in to my email address.
But fail2ban, for some reason, isn’t blocking them.
I need help configuring fail2ban. I’ve searched the forums and couldn’t find the solution I need.
Below are the Fail2Ban logs and configurations.

dovecot.log

Oct 26 04:27:44 imap-login: Info: Disconnected: Connection closed (no auth attempts in 0 secs): user=<>, rip=146.190.26.176, lip=192.168.0.80, TLS handshaking: Connection closed, session=<PbeNsAVCTpKSvhqw>
Oct 26 04:27:44 imap-login: Info: Disconnected: Connection closed (no auth attempts in 0 secs): user=<>, rip=146.190.26.176, lip=192.168.0.80, TLS handshaking: Connection closed, session=<HCOMsAVCTJKSvhqw>
Oct 26 04:27:44 imap-login: Info: Disconnected: Connection closed: read(size=598) failed: Connection reset by peer (no auth attempts in 0 secs): user=<>, rip=146.190.26.176, lip=192.168.0.80, TLS handshaking: read(size=598) failed: Connection reset by peer, session=<a2KHsAVCKJKSvhqw>
Oct 26 04:27:44 imap-login: Info: Disconnected: Connection closed: read(size=598) failed: Connection reset by peer (no auth attempts in 0 secs): user=<>, rip=146.190.26.176, lip=192.168.0.80, TLS handshaking: read(size=598) failed: Connection reset by peer, session=<VMqIsAVCOJKSvhqw>
Oct 26 04:27:44 imap-login: Info: Disconnected: Connection closed: read(size=677) failed: Connection reset by peer (no auth attempts in 0 secs): user=<>, rip=146.190.26.176, lip=192.168.0.80, TLS handshaking: read(size=677) failed: Connection reset by peer, session=<i5iKsAVCRJKSvhqw>
Oct 26 04:27:44 imap-login: Info: Disconnected: Too many invalid commands (no auth attempts in 1 secs): user=<>, rip=146.190.26.176, lip=192.168.0.80, TLS, session=<UXOFsAVCIJKSvhqw>
Oct 26 04:27:44 imap-login: Info: Disconnected: Connection closed: SSL_accept() failed: error:0A000102:SSL routines::unsupported protocol (no auth attempts in 0 secs): user=<>, rip=146.190.26.176, lip=192.168.0.80, TLS handshaking: SSL_accept() failed: error:0A000102:SSL routines::unsupported protocol, session=<vYCOsAVCWpKSvhqw>
Oct 26 04:27:44 imap-login: Info: Disconnected: Connection closed (no auth attempts in 0 secs): user=<>, rip=146.190.26.176, lip=192.168.0.80, TLS handshaking: Connection closed, session=<pdqQsAVCaJKSvhqw>
Oct 26 04:27:44 imap-login: Info: Disconnected: Connection closed: read(size=596) failed: Connection reset by peer (no auth attempts in 0 secs): user=<>, rip=146.190.26.176, lip=192.168.0.80, TLS handshaking: read(size=596) failed: Connection reset by peer, session=<X2eSsAVCbJKSvhqw>
Oct 26 04:27:44 imap-login: Info: Disconnected: Connection closed: SSL_accept() failed: error:0A0000C1:SSL routines::no shared cipher (no auth attempts in 0 secs): user=<>, rip=146.190.26.176, lip=192.168.0.80, TLS handshaking: SSL_accept() failed: error:0A0000C1:SSL routines::no shared cipher, session=<jBeTsAVCfJKSvhqw>
Oct 26 04:27:45 imap-login: Info: Disconnected: Connection closed: SSL_accept() failed: error:0A00006C:SSL routines::bad key share (no auth attempts in 0 secs): user=<>, rip=146.190.26.176, lip=192.168.0.80, TLS handshaking: SSL_accept() failed: error:0A00006C:SSL routines::bad key share, session=<IHSUsAVChpKSvhqw>
Oct 26 04:27:45 imap-login: Info: Disconnected: Too many invalid commands (no auth attempts in 0 secs): user=<>, rip=146.190.26.176, lip=192.168.0.80, TLS, session=<bAuXsAVClJKSvhqw>

fail2ban.cfg

[ssh-iptables]
enabled  = true
filter   = sshd
action   = hestia[name=SSH]
logpath  = /var/log/auth.log
maxretry = 1
findtime = 3600
bantime  = 864000

[vsftpd-iptables]
enabled  = true
filter   = vsftpd
action   = hestia[name=FTP]
logpath  = /var/log/vsftpd.log
maxretry = 1
findtime = 3600
bantime  = 864000

[exim-iptables]
enabled  = true
filter   = exim
action   = hestia[name=MAIL]
logpath  = /var/log/exim4/mainlog
maxretry = 1
findtime = 3600
bantime  = 864000

[dovecot-iptables]
enabled  = true
filter   = dovecot
action   = hestia[name=MAIL]
logpath  = /var/log/dovecot.log
maxretry = 1
findtime = 3600
bantime  = 864000

[mysqld-iptables]
enabled  = true
filter   = mysqld-auth
action   = hestia[name=DB]
logpath  = /var/log/mysql/error.log
maxretry = 1
findtime = 3600
bantime  = 864000

[hestia-iptables]
enabled  = true
filter   = hestia
action   = hestia[name=HESTIA]
logpath  = /var/log/hestia/auth.log
maxretry = 1
findtime = 3600
bantime  = 864000

[roundcube-auth]
enabled  = false
filter   = roundcube-auth
action   = hestia[name=WEB]
logpath  = /var/log/roundcube/errors.log
maxretry = 1
findtime = 3600
bantime  = 864000

[phpmyadmin-auth]
enabled  = true
filter   = phpmyadmin-syslog
action   = hestia[name=WEB]
logpath  = /var/log/auth.log
maxretry = 2
findtime = 3600
bantime  = 864000

[recidive]
enabled  = true
filter   = recidive
action   = hestia[name=RECIDIVE]
logpath  = /var/log/fail2ban.log
maxretry = 1
findtime = 3600
bantime  = 31536000

Screen section firewall-banlist

image1019×435 26 KB

In general, I created a new filter just for myself to block such bot scanners.

/etc/fail2ban/jail.d/dovecot-handshake.conf

[Definition]

# We catch any IMAP session interruptions during TLS handshaking
# and connections without authentication attempts (user=<>)

failregex = ^.*imap-login: Info: Disconnected: .*rip=<HOST>.*, TLS handshaking:.*$
             ^.*imap-login: Info: Disconnected: .*user=<>.*rip=<HOST>.*$
             ^.*imap-login: Info: Disconnected: Too many invalid commands.*rip=<HOST>.*$
ignoreregex =

/etc/fail2ban/jail.local

[dovecot-handshake]
enabled  = true
filter   = dovecot-handshake
action   = hestia[name=MAIL]
logpath  = /var/log/dovecot.log
maxretry = 2
findtime = 3600
bantime  = 864000 

Ultimately, we get a nice output and blocking of unnecessary spam on the machine.

fail2ban-client status dovecot-handshake

Status for the jail: dovecot-handshake
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /var/log/dovecot.log
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list:   146.190.26.176