Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- [INCLUDES]
- before = paths-fedora.conf
- [DEFAULT]
- ignoreip = 127.0.0.1/8
- ignorecommand =
- bantime = 600
- findtime = 600
- maxretry = 5
- backend = systemd
- usedns = warn
- logencoding = auto
- enabled = false
- filter = %(__name__)s
- #
- # ACTIONS
- #
- destemail = root@localhost
- sender = root@localhost
- mta = sendmail
- protocol = tcp
- chain = INPUT
- port = 0:65535
- fail2ban_agent = Fail2Ban/%(fail2ban_version)s
- banaction = firewallcmd-ipset
- banaction_allports = firewallcmd-allports
- # The simplest action to take: ban only
- action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
- # ban & send an e-mail with whois report to the destemail.
- action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
- %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
- # ban & send an e-mail with whois report and relevant log lines
- # to the destemail.
- action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
- %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
- # See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
- #
- # ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
- # to the destemail.
- action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
- xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]
- # ban IP on CloudFlare & send an e-mail with whois report and relevant log lines
- # to the destemail.
- action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
- %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
- action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]
- action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]
- action = %(action_)s
- # JAILS
- [dovecot]
- enabled = true
- port = pop3,pop3s,imap,imaps,submission,465,sieve
- filter = dovecot
- logpath = /var/log/dovecot.log
- maxretry = 1
- findtime = 60000
- bantime = 60000
- datepattern = %b %d %H:%M:%S
- backend = %(dovecot_backend)s
- ---
- /etc/fail2ban/jail.d/00-firewalld.conf
- # This file is part of the fail2ban-firewalld package to configure the use of
- # the firewalld actions as the default actions. You can remove this package
- # (along with the empty fail2ban meta-package) if you do not use firewalld
- [DEFAULT]
- banaction = firewallcmd-ipset
- etc/fail2ban/filter.d/dovecot.conf
- # Fail2Ban filter Dovecot authentication and pop3/imap server
- #
- [INCLUDES]
- before = common.conf
- [Definition]
- _daemon = (auth|dovecot(-auth)?|auth-worker)
- failregex =auth-worker(S*): Info: sql(S*,<HOST>): Password mismatchs*$
- auth-worker(S*): Info: sql(S*,<HOST>): unknown users*$
- ignoreregex =
- [Init]
- journalmatch = _SYSTEMD_UNIT=dovecot.service
- [DEFAULT]
- banaction = firewallcmd-ipset
- Running tests
- =============
- Use failregex filter file : dovecot, basedir: /etc/fail2ban
- Use log file : /var/log/dovecot.log
- Use encoding : UTF-8
- Results
- =======
- Failregex: 11 total
- |- #) [# of hits] regular expression
- | 1) [10] auth-worker(S*): Info: sql(S*,<HOST>): Password mismatchs*$
- | 2) [1] auth-worker(S*): Info: sql(S*,<HOST>): unknown users*$
- `-
- Ignoreregex: 0 total
- Date template hits:
- |- [# of hits] date format
- | [24] (?:DAY )?MON Day 24hour:Minute:Second(?:.Microseconds)?(?: Year)?
- `-
- Lines: 24 lines, 0 ignored, 11 matched, 13 missed
- [processed in 0.01 sec]
- |- Matched line(s):
- | Dec 09 13:21:24 auth-worker(30106): Info: sql(user2@test.example.com,192.168.13.107): Password mismatch
- | Dec 09 13:21:34 auth-worker(30106): Info: sql(user2@test.example.com,192.168.13.107): Password mismatch
- | Dec 09 14:16:13 auth-worker(31603): Info: sql(user2@test.example.coml,192.168.13.107): unknown user
- | Dec 09 20:37:39 auth-worker(11941): Info: sql(user2@test.example.com,172.16.2.10): Password mismatch
- | Dec 09 20:37:47 auth-worker(11941): Info: sql(user2@test.example.com,172.16.2.10): Password mismatch
- | Dec 09 20:37:53 auth-worker(11941): Info: sql(user2@test.example.com,172.16.2.10): Password mismatch
- | Dec 09 20:37:56 auth-worker(11941): Info: sql(user2@test.example.com,172.16.2.10): Password mismatch
- | Dec 09 20:37:59 auth-worker(11941): Info: sql(user2@test.example.com,172.16.2.10): Password mismatch
- | Dec 09 21:29:57 auth-worker(4141): Info: sql(user2@test.example.com,172.16.2.10): Password mismatch
- | Dec 09 21:30:04 auth-worker(4141): Info: sql(user2@test.example.com,172.16.2.10): Password mismatch
- | Dec 09 21:30:11 auth-worker(4141): Info: sql(user2@test.example.com,172.16.2.10): Password mismatch
- `-
- |- Missed line(s):
- | Dec 09 14:16:19 auth-worker(31603): Info: sql(user2@test.example.coml,192.168.13.107): unknown userDec 09 20:37:06 config: Warning: NOTE: You can get a new clean config file with: doveconf -n > dovecot-new.conf
- | Dec 09 20:37:06 config: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:1: 'imaps' protocol is no longer necessary, remove it
- | Dec 09 20:37:09 imap-login: Info: Login: user=<user2@test.example.com>, method=PLAIN, rip=172.16.2.10, lip=10.8.8.59, mpid=11944, TLS, session=<nQg+4T5DvQCsEAIK>
- | Dec 09 20:37:09 imap(user2@test.example.com): Info: Disconnected: Disconnected in IDLE in=11 out=366
- | Dec 09 20:38:41 imap-login: Info: Disconnected (auth failed, 5 attempts in 62 secs): user=<user2@test.example.com>, method=PLAIN, rip=172.16.2.10, lip=10.8.8.59, TLS: Disconnected, session=<4akO4z5DxACsEAIK>
- | Dec 09 21:15:26 anvil: Warning: Killed with signal 15 (by pid=1 uid=0 code=kill)
- | Dec 09 21:15:26 log: Warning: Killed with signal 15 (by pid=1 uid=0 code=kill)
- | Dec 09 21:15:26 master: Warning: Killed with signal 15 (by pid=1 uid=0 code=kill)
- | Dec 09 21:16:01 master: Info: Dovecot v2.2.10 starting up for imap, lmtp (core dumps disabled)
- | Dec 09 21:29:41 imap-login: Info: Login: user=<user2@test.example.com>, method=PLAIN, rip=172.16.2.10, lip=10.8.8.59, mpid=4144, TLS, session=<ehkWnT9DVQCsEAIK>
- | Dec 09 21:29:42 imap-login: Info: Login: user=<user2@test.example.com>, method=PLAIN, rip=172.16.2.10, lip=10.8.8.59, mpid=4145, TLS, session=<59krnT9DVACsEAIK>
- | Dec 09 21:30:21 imap(user2@test.example.com): Info: Disconnected: Logged out in=1716 out=12112
- | Dec 09 21:32:48 imap-login: Info: Disconnected (auth failed, 3 attempts in 171 secs): user=<user2@test.example.com>, method=PLAIN, rip=172.16.2.10, lip=10.8.8.59, TLS: Disconnected, session=<QIYQnj9DVwCsEAIK>
- Dec 09 13:21:24 auth-worker(30106): Info: sql(user2@test.example.com,192.168.13.107): Password mismatch
- Dec 09 13:21:34 auth-worker(30106): Info: sql(user2@test.example.com,192.168.13.107): Password mismatch
- Dec 09 14:16:13 auth-worker(31603): Info: sql(user@test.example.com,192.168.13.107): unknown user
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement