[INCLUDES] before = paths-fedora.conf [DEFAULT] ignoreip = 127.0.0.

1. [INCLUDES]
2. before = paths-fedora.conf
3.  
4. [DEFAULT]
5. ignoreip = 127.0.0.1/8
6. ignorecommand =
7. bantime = 600
8. findtime = 600
9. maxretry = 5
10. backend = systemd
11. usedns = warn
12. logencoding = auto
13. enabled = false
14. filter = %(__name__)s
15.  
16. #
17. # ACTIONS
18. #
19. destemail = root@localhost
20. sender = root@localhost
21. mta = sendmail
22. protocol = tcp
23. chain = INPUT
24. port = 0:65535
25. fail2ban_agent = Fail2Ban/%(fail2ban_version)s
26.  
27. banaction = firewallcmd-ipset
28. banaction_allports = firewallcmd-allports
29.  
30.  
31. # The simplest action to take: ban only
32. action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
33.  
34. # ban & send an e-mail with whois report to the destemail.
35. action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
36. %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
37.  
38. # ban & send an e-mail with whois report and relevant log lines
39. # to the destemail.
40. action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
41. %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
42.  
43. # See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
44. #
45. # ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
46. # to the destemail.
47. action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
48. xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]
49.  
50. # ban IP on CloudFlare & send an e-mail with whois report and relevant log lines
51. # to the destemail.
52. action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
53. %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
54.  
55.  
56. action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]
57. action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]
58. action = %(action_)s
59.  
60. # JAILS
61.  
62. [dovecot]
63. enabled = true
64. port = pop3,pop3s,imap,imaps,submission,465,sieve
65. filter = dovecot
66. logpath = /var/log/dovecot.log
67. maxretry = 1
68. findtime = 60000
69. bantime = 60000
70. datepattern = %b %d %H:%M:%S
71. backend = %(dovecot_backend)s
72.  
73. ---
74.  
75. /etc/fail2ban/jail.d/00-firewalld.conf
76.  
77. # This file is part of the fail2ban-firewalld package to configure the use of
78. # the firewalld actions as the default actions. You can remove this package
79. # (along with the empty fail2ban meta-package) if you do not use firewalld
80. [DEFAULT]
81. banaction = firewallcmd-ipset
82.  
83. etc/fail2ban/filter.d/dovecot.conf
84.  
85. # Fail2Ban filter Dovecot authentication and pop3/imap server
86. #
87.  
88. [INCLUDES]
89.  
90. before = common.conf
91.  
92. [Definition]
93.  
94. _daemon = (auth|dovecot(-auth)?|auth-worker)
95.  
96. failregex =auth-worker(S*): Info: sql(S*,<HOST>): Password mismatchs*$
97. auth-worker(S*): Info: sql(S*,<HOST>): unknown users*$
98.  
99.  
100. ignoreregex =
101.  
102. [Init]
103.  
104. journalmatch = _SYSTEMD_UNIT=dovecot.service
105.  
106. [DEFAULT]
107. banaction = firewallcmd-ipset
108.  
109. Running tests
110. =============
111.  
112. Use failregex filter file : dovecot, basedir: /etc/fail2ban
113. Use log file : /var/log/dovecot.log
114. Use encoding : UTF-8
115.  
116.  
117. Results
118. =======
119. Failregex: 11 total
120. |- #) [# of hits] regular expression
121. | 1) [10] auth-worker(S*): Info: sql(S*,<HOST>): Password mismatchs*$
122. | 2) [1] auth-worker(S*): Info: sql(S*,<HOST>): unknown users*$
123. `-
124.  
125. Ignoreregex: 0 total
126.  
127. Date template hits:
128. |- [# of hits] date format
129. | [24] (?:DAY )?MON Day 24hour:Minute:Second(?:.Microseconds)?(?: Year)?
130. `-
131.  
132. Lines: 24 lines, 0 ignored, 11 matched, 13 missed
133. [processed in 0.01 sec]
134.  
135. |- Matched line(s):
136. | Dec 09 13:21:24 auth-worker(30106): Info: sql(user2@test.example.com,192.168.13.107): Password mismatch
137. | Dec 09 13:21:34 auth-worker(30106): Info: sql(user2@test.example.com,192.168.13.107): Password mismatch
138. | Dec 09 14:16:13 auth-worker(31603): Info: sql(user2@test.example.coml,192.168.13.107): unknown user
139. | Dec 09 20:37:39 auth-worker(11941): Info: sql(user2@test.example.com,172.16.2.10): Password mismatch
140. | Dec 09 20:37:47 auth-worker(11941): Info: sql(user2@test.example.com,172.16.2.10): Password mismatch
141. | Dec 09 20:37:53 auth-worker(11941): Info: sql(user2@test.example.com,172.16.2.10): Password mismatch
142. | Dec 09 20:37:56 auth-worker(11941): Info: sql(user2@test.example.com,172.16.2.10): Password mismatch
143. | Dec 09 20:37:59 auth-worker(11941): Info: sql(user2@test.example.com,172.16.2.10): Password mismatch
144. | Dec 09 21:29:57 auth-worker(4141): Info: sql(user2@test.example.com,172.16.2.10): Password mismatch
145. | Dec 09 21:30:04 auth-worker(4141): Info: sql(user2@test.example.com,172.16.2.10): Password mismatch
146. | Dec 09 21:30:11 auth-worker(4141): Info: sql(user2@test.example.com,172.16.2.10): Password mismatch
147. `-
148. |- Missed line(s):
149. | Dec 09 14:16:19 auth-worker(31603): Info: sql(user2@test.example.coml,192.168.13.107): unknown userDec 09 20:37:06 config: Warning: NOTE: You can get a new clean config file with: doveconf -n > dovecot-new.conf
150. | Dec 09 20:37:06 config: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:1: 'imaps' protocol is no longer necessary, remove it
151. | Dec 09 20:37:09 imap-login: Info: Login: user=<user2@test.example.com>, method=PLAIN, rip=172.16.2.10, lip=10.8.8.59, mpid=11944, TLS, session=<nQg+4T5DvQCsEAIK>
152. | Dec 09 20:37:09 imap(user2@test.example.com): Info: Disconnected: Disconnected in IDLE in=11 out=366
153. | Dec 09 20:38:41 imap-login: Info: Disconnected (auth failed, 5 attempts in 62 secs): user=<user2@test.example.com>, method=PLAIN, rip=172.16.2.10, lip=10.8.8.59, TLS: Disconnected, session=<4akO4z5DxACsEAIK>
154. | Dec 09 21:15:26 anvil: Warning: Killed with signal 15 (by pid=1 uid=0 code=kill)
155. | Dec 09 21:15:26 log: Warning: Killed with signal 15 (by pid=1 uid=0 code=kill)
156. | Dec 09 21:15:26 master: Warning: Killed with signal 15 (by pid=1 uid=0 code=kill)
157. | Dec 09 21:16:01 master: Info: Dovecot v2.2.10 starting up for imap, lmtp (core dumps disabled)
158. | Dec 09 21:29:41 imap-login: Info: Login: user=<user2@test.example.com>, method=PLAIN, rip=172.16.2.10, lip=10.8.8.59, mpid=4144, TLS, session=<ehkWnT9DVQCsEAIK>
159. | Dec 09 21:29:42 imap-login: Info: Login: user=<user2@test.example.com>, method=PLAIN, rip=172.16.2.10, lip=10.8.8.59, mpid=4145, TLS, session=<59krnT9DVACsEAIK>
160. | Dec 09 21:30:21 imap(user2@test.example.com): Info: Disconnected: Logged out in=1716 out=12112
161. | Dec 09 21:32:48 imap-login: Info: Disconnected (auth failed, 3 attempts in 171 secs): user=<user2@test.example.com>, method=PLAIN, rip=172.16.2.10, lip=10.8.8.59, TLS: Disconnected, session=<QIYQnj9DVwCsEAIK>
162.  
163. Dec 09 13:21:24 auth-worker(30106): Info: sql(user2@test.example.com,192.168.13.107): Password mismatch
164. Dec 09 13:21:34 auth-worker(30106): Info: sql(user2@test.example.com,192.168.13.107): Password mismatch
165. Dec 09 14:16:13 auth-worker(31603): Info: sql(user@test.example.com,192.168.13.107): unknown user