Musings on dovecot, exim fail2ban rules

pluto · December 14, 2021, 3:41am

I’ve noticed that I don’t seem to be getting any bans in my dovecot and exim fail2ban jails, but didn’t really bother digging into it. But yesterday on one of my servers, I had 6000 or so lines in my logwatch report saying

2021-12-13 06:01:30 dovecot_login authenticator failed for (User) [87.246.7.213] I=[64.227.102.168]:587: 535 Incorrect authentication data ([[email protected]](mailto:[email protected])): 1 Time(s)

The brute force attack was well within bantime and findtime parameters, and from the same IP address, so it should have been picked up.

I took a look in the filters, and found that the dovecot filter is looking at /var/log/dovecot.log, but these lines came from /var/log/exim4/mainlog, which I thought might explain why they weren’t being picked up. So I tried writing another filter to test this out. I did a simple one to begin with.

cat filter.d/dovecot-auth.conf

[Definition]
failregex = .*dovecot_login.*\[<HOST>\]:.*535 Incorrect authentication data
ignoreregex =

And in jail.local I put.

[dovecot-auth]
enabled = true 
filter = dovecot-auth
logpath = /var/log/exim4/mainlog
action = hestia[name=MAIL]
findtime = 60m
bantime = 300m

So that seemed to work. I ran the test command, and it picked up 6000 instances of the IP address:

fail2ban-regex -v /var/log/exim4/mainlog /etc/fail2ban/filter.d/dovecot-auth.conf

But when I restarted fail2ban, it didn’t add any IP addresses to the jail

fail2ban-client status dovecot-auth
Status for the jail: dovecot-auth
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	0
|  `- File list:	/var/log/exim4/mainlog
`- Actions
   |- Currently banned:	0
   |- Total banned:	0
   `- Banned IP list:

I tried setting bantime and findtime to large numbers, and still nothing. So … any ideas? Anyone else been looking at this?

jlguerrero · December 14, 2021, 6:55am

I will look at this.

pluto · January 9, 2022, 2:35am

OK, so I had some time yesterday and started playing with this again. The rules in the exim and dovecot filters seem to be matching " 535 Incorrect authentication data" lines successfully. You can see them match when you use fail2ban-regex. But I still wasn’t getting any bans as a result.

I tried playing with the bantime and findtime in /etc/fail2ban/jail.local and set them a bit longer:

[DEFAULT]
# Set default values for all jails
bantime = 2h
findtime = 40m

That didn’t seem to work. Then I started looking in the fail2ban.sqlite3 file at /var/lib/fail2ban/fail2ban.sqlite3, and it seemed strangely empty.

So then I found something on the interwebs saying with fail2ban 0.11 onwards, there was a setting which restricted the amount of data retained in the db to one day, and indeed it was.

fail2ban-client -d | grep dbpurgeage

So I created a file at /etc/fail2ban/fail2ban.local with the following contents and restarted fail2ban.

[DEFAULT]
dbpurgeage = 30d

And now I’m getting some bans in my dovecot and exim jails, and subsequently in recidive.

So I’m not completely convinced that that was the whole problem, but things now seem to be working. I’ll monitor it and maybe apply it to another server or two. Meanwhile I thought I’d report my findings here in case anyone was interested.

jlguerrero · January 9, 2022, 9:14pm

Be careful with fail2ban and IMAP / SMTP since a misconfigured device can ban a whole office.