I’ve noticed that I don’t seem to be getting any bans in my dovecot and exim fail2ban jails, but didn’t really bother digging into it. But yesterday on one of my servers, I had 6000 or so lines in my logwatch report saying
2021-12-13 06:01:30 dovecot_login authenticator failed for (User) [87.246.7.213] I=[64.227.102.168]:587: 535 Incorrect authentication data ([[email protected]](mailto:[email protected])): 1 Time(s)
The brute force attack was well within bantime and findtime parameters, and from the same IP address, so it should have been picked up.
I took a look in the filters, and found that the dovecot filter is looking at /var/log/dovecot.log, but these lines came from /var/log/exim4/mainlog, which I thought might explain why they weren’t being picked up. So I tried writing another filter to test this out. I did a simple one to begin with.
cat filter.d/dovecot-auth.conf
[Definition]
failregex = .*dovecot_login.*\[<HOST>\]:.*535 Incorrect authentication data
ignoreregex =
And in jail.local I put.
[dovecot-auth]
enabled = true
filter = dovecot-auth
logpath = /var/log/exim4/mainlog
action = hestia[name=MAIL]
findtime = 60m
bantime = 300m
So that seemed to work. I ran the test command, and it picked up 6000 instances of the IP address:
fail2ban-regex -v /var/log/exim4/mainlog /etc/fail2ban/filter.d/dovecot-auth.conf
But when I restarted fail2ban, it didn’t add any IP addresses to the jail
fail2ban-client status dovecot-auth
Status for the jail: dovecot-auth
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /var/log/exim4/mainlog
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
I tried setting bantime and findtime to large numbers, and still nothing. So … any ideas? Anyone else been looking at this?