Issue Fail2Ban dovecot/Imap gets banned by false Settings

[daanse]

Hi,
I really often encountered Problems with Clients and Email-Clients where they get banned while using (not 100%) correct Settings,
i.e.
-SSL Ports but normal unsecure Server.
- Secure Server with Plain Password
- mixed up Settings (SSL and non SSL) ....

... which caused a ban for the Customer.
So a few Minutes i goes well and than Customer gets banned.

If the Settings are mixed up it should not work at all, instead it works but triggers fails and bans.

Does anyone have an Idea what to do here?

System:
Plesk Onyx 17.0.x
Debian 8.7
(SSL/ Mailserver works 100% with good setup Email Client)
Dovecot

 

[Noam Harel]

Hi,

I had encountered this situation with the "plesk-apache" jail, doing "tail -f /var/log/fail2ban.log", showed that simple browsing is being banned for unknown reason, i had removed the "logpath" that is related to the logs of the websites [(under system vhost) note that fail2ban is actually reading logs on the server and when an entry in the log is being repeated it gets trigerrs fail2ban put the source IP in "Jail"]. so in case you cannot find the main problem you can disable the jail or remove the problematic logpath from the Jail settings.


Noam

 

[daanse]

Hi @Noam Harel ,

i think it has nothing to do with Web/ apache.
I encountered the Problem only with email and same Problem with a Customer who can only USE Emails with Plesk.
Service Packages with Hosting disabled.

And on the other Hand, customers with big Sites have no Problems. This is an Email Problem.
At our Office we setup a new Email and the MailClient tried to set auto Settings and sus we were banned for "testing" with mixed Email Settings.
This is weird.

 

[Linulex]

You need to look at /var/log/fail2ban.log to see what rule gets triggered, postfix or dovecot
then look into /var/log/maillog the reason it gets triggered

here is an example of postix that gets triggered by a hacker

/var/log/fail2ban.log

2017-05-04 11:16:45,093 fail2ban.filter         [2903]: INFO    [plesk-postfix] Found 190.145.95.203
2017-05-04 11:16:45,776 fail2ban.filter         [2903]: INFO    [plesk-postfix] Found 190.145.95.203
2017-05-04 11:16:46,464 fail2ban.filter         [2903]: INFO    [plesk-postfix] Found 190.145.95.203
2017-05-04 11:16:47,149 fail2ban.filter         [2903]: INFO    [plesk-postfix] Found 190.145.95.203
2017-05-04 11:16:47,837 fail2ban.filter         [2903]: INFO    [plesk-postfix] Found 190.145.95.203
2017-05-04 11:16:48,523 fail2ban.filter         [2903]: INFO    [plesk-postfix] Found 190.145.95.203
2017-05-04 11:16:48,582 fail2ban.actions        [2903]: NOTICE  [plesk-postfix] Ban 190.145.95.203

/var/log/maillog

May  4 11:16:45 kvmtest242 postfix/smtpd[20884]: warning: unknown[190.145.95.203]: SASL LOGIN authentication failed: authentication failure
May  4 11:16:45 kvmtest242 postfix/smtpd[20884]: warning: unknown[190.145.95.203]: SASL LOGIN authentication failed: authentication failure
May  4 11:16:46 kvmtest242 postfix/smtpd[20884]: warning: unknown[190.145.95.203]: SASL LOGIN authentication failed: authentication failure
May  4 11:16:47 kvmtest242 postfix/smtpd[20884]: warning: unknown[190.145.95.203]: SASL LOGIN authentication failed: authentication failure
May  4 11:16:47 kvmtest242 postfix/smtpd[20884]: warning: unknown[190.145.95.203]: SASL LOGIN authentication failed: authentication failure
May  4 11:16:48 kvmtest242 postfix/smtpd[20884]: warning: unknown[190.145.95.203]: SASL LOGIN authentication failed: authentication failure

Once you established this, you can tell your customer what the reason is or adjust the jail if it blocks legitimate logins.

regards
Jan

 

[Noam Harel]

Hi @Noam Harel ,

i think it has nothing to do with Web/ apache.
I encountered the Problem only with email and same Problem with a Customer who can only USE Emails with Plesk.
Service Packages with Hosting disabled.

And on the other Hand, customers with big Sites have no Problems. This is an Email Problem.
At our Office we setup a new Email and the MailClient tried to set auto Settings and sus we were banned for "testing" with mixed Email Settings.
This is weird.

hi, i just put it there for example, you actually need to do a "tail -f /var/log/fail2ban.log" in order to see the real Jail and then modify it.

 

[daanse]

how to modify?
we encountered this Problem again today.
If Settings are not 100% correct it works but customer gets banned in a few minutes.

2017-05-10 11:56:46,937 fail2ban.filter [1674]: INFO [plesk-postfix] Found 192.ip.ip.ip
2017-05-10 11:56:46,950 fail2ban.filter [1674]: INFO [plesk-postfix] Found 192.ip.ip.ip
2017-05-10 11:56:47,016 fail2ban.filter [1674]: INFO [plesk-postfix] Found 192.ip.ip.ip
2017-05-10 11:56:47,024 fail2ban.filter [1674]: INFO [plesk-postfix] Found 192.ip.ip.ip
2017-05-10 11:56:47,090 fail2ban.filter [1674]: INFO [plesk-postfix] Found 192.ip.ip.ip
2017-05-10 11:56:47,101 fail2ban.filter [1674]: INFO [plesk-postfix] Found 192.ip.ip.ip
2017-05-10 11:56:47,168 fail2ban.filter [1674]: INFO [plesk-postfix] Found 192.ip.ip.ip
2017-05-10 11:56:47,179 fail2ban.filter [1674]: INFO [plesk-postfix] Found 192.ip.ip.ip
2017-05-10 11:56:47,214 fail2ban.filter [1674]: INFO [plesk-postfix] Found 192.ip.ip.ip
2017-05-10 11:56:47,220 fail2ban.filter [1674]: INFO [plesk-postfix] Found 192.ip.ip.ip
2017-05-10 11:56:47,255 fail2ban.filter [1674]: INFO [plesk-postfix] Found 192.ip.ip.ip
2017-05-10 11:56:47,261 fail2ban.filter [1674]: INFO [plesk-postfix] Found 192.ip.ip.ip
2017-05-10 11:56:47,368 fail2ban.filter [1674]: INFO [plesk-postfix] Found 192.ip.ip.ip
2017-05-10 11:56:47,372 fail2ban.filter [1674]: INFO [plesk-postfix] Found 192.ip.ip.ip
2017-05-10 11:56:47,485 fail2ban.filter [1674]: INFO [plesk-postfix] Found 192.ip.ip.ip
2017-05-10 11:56:47,490 fail2ban.filter [1674]: INFO [plesk-postfix] Found 192.ip.ip.ip
2017-05-10 11:56:47,870 fail2ban.actions [1674]: NOTICE [plesk-postfix] Ban 192.ip.ip.ip
2017-05-10 11:56:47,882 fail2ban.filter [1674]: INFO [recidive] Found 192.ip.ip.ip
2017-05-10 11:56:48,103 fail2ban.actions [1674]: NOTICE [plesk-postfix] 192.ip.ip.ip already banned
2017-05-10 11:56:49,105 fail2ban.actions [1674]: NOTICE [plesk-postfix] 192.ip.ip.ip already banned

Can't there be adjustments for just get banned if data is really wrong.
In this Case we only have some "not 100% correct setup Mailaccount"
i.e. Port 993 but not hostname with SSL

 

[Linulex]

@daanse

Fail2ban checks the logs for paterns. I am pretty sure the writers of the filters have examined the logs extensive and created filters that only ban what is really wrong.
The best thing you can do (as i suggested earlier) is to check the logs on who and why this jail gets triggered.

If the jail is to strikt or wrong, you can adjust the filter that this jail uses.

But most of the time it is the user that does something wrong. He/she might not always know it. For example an account on a phone that tries to log in without password.
To know why this ip address gets banned, you need to examine the filter and check the log why that filter gets triggered.
Once you know that, you can inform the client what he does wrong, or adjust the filter.

fyi: port 993 = imap,
the triggered jail is postfix. different deamon. This is most of the time someone that tries to login to smtp with a wrong or no password, or a wrong protocol like cram-md5.

If you client uses Apple mail, iphone then you might want to check if his account tries to login with CRAM-MD5. apple is known to want to use cram-md5.

Regards
Jan

 

[daanse]

Hi @Linulex ,

thank you, i know that Port
This i just saw, as he got banned again.
Its an Androidphone, i think Laptop is working but Android not.
And i remeber that i setup Android phone by myself some time ago.
I had not much options to choose and i definetily setup secure Hostname, used secure Ports and so on.

For my understanding: Wrong Settings can work but always get somehow banned from Fail2ban because it triggers a fail?
This is what i'm talking all the time and what i really don't understand. Why handling false Settings with BAN.
Better would be if false settings wont work at all. In my examples false Settings works but get randomly banned.
And i didn't changed f2b Filters.

Are there more advanced Filters which in this case could be used? I really don't like regex.....

 grep '192.ip.ip.ip' /usr/local/psa/var/log/maillog
May 11 09:01:39 Servername dovecot: service=imap, [email protected], ip=[192.ip.ip.ip]. Connection closed rcvd=453, sent=2825
May 11 09:01:39 Servername dovecot: service=imap, [email protected], ip=[192.ip.ip.ip]. Connection closed rcvd=129, sent=1004
May 11 09:01:39 Servername dovecot: service=imap, [email protected], ip=[192.ip.ip.ip]. Connection closed rcvd=148, sent=1469
May 11 09:01:41 Servername dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<[email protected]>, method=DIGEST-MD5, rip=192.ip.ip.ip, lip=srv.ip.ip.210, TLS, session=<Xo4WKTpPOpZP724P>
May 11 09:01:46 Servername dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=192.ip.ip.ip, lip=srv.ip.ip.210, mpid=5135, TLS: Disconnected, session=<D8xAKTpPP5ZP724P>
May 11 09:01:46 Servername dovecot: service=imap, [email protected], ip=[192.ip.ip.ip]. Connection closed rcvd=0, sent=348
May 11 09:02:05 Servername dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<[email protected]>, method=DIGEST-MD5, rip=192.ip.ip.ip, lip=srv.ip.ip.210, TLS, session=<s2p8KjpPZpZP724P>
May 11 09:02:09 Servername dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=192.ip.ip.ip, lip=srv.ip.ip.210, mpid=5161, TLS, session=<VJqhKjpPZ5ZP724P>
May 11 09:02:13 Servername dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<[email protected]>, method=DIGEST-MD5, rip=192.ip.ip.ip, lip=srv.ip.ip.210, TLS, session=<iiP9KjpPaJZP724P>
May 11 09:02:17 Servername dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=192.ip.ip.ip, lip=srv.ip.ip.210, mpid=5181, TLS, session=<2yUdKzpPapZP724P>
May 11 09:20:22 Servername dovecot: service=imap, [email protected], ip=[192.ip.ip.ip]. Connection closed rcvd=0, sent=348
May 11 09:32:11 Servername dovecot: service=imap, [email protected], ip=[192.ip.ip.ip]. Disconnected for inactivity rcvd=194, sent=1632
May 11 15:04:57 Servername dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<[email protected]>, method=DIGEST-MD5, rip=192.ip.ip.ip, lip=srv.ip.ip.210, TLS, session=<yK84PD9Pqp5P724P>
May 11 15:05:01 Servername dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=192.ip.ip.ip, lip=srv.ip.ip.210, mpid=21830, TLS, session=<OQNbPD9Prp5P724P>
May 11 15:05:04 Servername dovecot: imap-login: Disconnected (auth failed, 1 attempts in 7 secs): user=<[email protected]>, method=DIGEST-MD5, rip=192.ip.ip.ip, lip=srv.ip.ip.210, TLS, session=<XW1WPD9PrJ5P724P>
May 11 15:05:04 Servername dovecot: imap-login: Disconnected (auth failed, 1 attempts in 7 secs): user=<[email protected]>, method=DIGEST-MD5, rip=192.ip.ip.ip, lip=srv.ip.ip.210, TLS, session=<lYpZPD9PrZ5P724P>
May 11 15:05:04 Servername dovecot: imap-login: Disconnected (auth failed, 1 attempts in 7 secs): user=<[email protected]>, method=DIGEST-MD5, rip=192.ip.ip.ip, lip=srv.ip.ip.210, TLS, session=<y7BdPD9Pr55P724P>
May 11 15:05:04 Servername dovecot: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<[email protected]>, method=DIGEST-MD5, rip=192.ip.ip.ip, lip=srv.ip.ip.210, TLS, session=<+GNmPD9PsJ5P724P>
May 11 15:05:04 Servername dovecot: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<[email protected]>, method=DIGEST-MD5, rip=192.ip.ip.ip, lip=srv.ip.ip.210, TLS, session=<PV1mPD9PsZ5P724P>
May 11 15:05:04 Servername dovecot: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<[email protected]>, method=DIGEST-MD5, rip=192.ip.ip.ip, lip=srv.ip.ip.210, TLS, session=<2XNpPD9Psp5P724P>
May 11 15:05:04 Servername dovecot: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<[email protected]>, method=DIGEST-MD5, rip=192.ip.ip.ip, lip=srv.ip.ip.210, TLS, session=<4Q1tPD9Ps55P724P>
May 11 15:05:12 Servername dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=192.ip.ip.ip, lip=srv.ip.ip.210, mpid=22225, TLS, session=<SfrGPD9Ptp5P724P>
May 11 15:05:12 Servername dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=192.ip.ip.ip, lip=srv.ip.ip.210, mpid=22226, TLS, session=<YwvHPD9PtZ5P724P>
May 11 15:05:12 Servername dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=192.ip.ip.ip, lip=srv.ip.ip.210, mpid=22228, TLS, session=<hBvHPD9PtJ5P724P>
May 11 15:05:12 Servername dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=192.ip.ip.ip, lip=srv.ip.ip.210, mpid=22229, TLS, session=<iHXHPD9Pt55P724P>
May 11 15:05:12 Servername dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=192.ip.ip.ip, lip=srv.ip.ip.210, mpid=22230, TLS, session=<G97HPD9PuJ5P724P>
May 11 15:05:12 Servername dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=192.ip.ip.ip, lip=srv.ip.ip.210, mpid=22231, TLS, session=<zfLHPD9Pup5P724P>
May 11 15:05:12 Servername dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=192.ip.ip.ip, lip=srv.ip.ip.210, mpid=22232, TLS, session=<3BnIPD9PuZ5P724P>
May 11 15:05:13 Servername dovecot: service=imap, [email protected], ip=[192.ip.ip.ip]. Connection closed rcvd=95, sent=829
May 11 15:05:13 Servername dovecot: service=imap, [email protected], ip=[192.ip.ip.ip]. Connection closed rcvd=65, sent=654
May 11 15:05:13 Servername dovecot: service=imap, [email protected], ip=[192.ip.ip.ip]. Connection closed rcvd=65, sent=654
May 11 15:05:13 Servername dovecot: service=imap, [email protected], ip=[192.ip.ip.ip]. Connection closed rcvd=65, sent=654
May 11 15:05:13 Servername dovecot: service=imap, [email protected], ip=[192.ip.ip.ip]. Connection closed rcvd=65, sent=654
May 11 15:05:13 Servername dovecot: service=imap, [email protected], ip=[192.ip.ip.ip]. Connection closed rcvd=65, sent=654
May 11 15:05:13 Servername dovecot: service=imap, [email protected], ip=[192.ip.ip.ip]. Connection closed rcvd=76, sent=654
May 11 15:05:16 Servername dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<[email protected]>, method=DIGEST-MD5, rip=192.ip.ip.ip, lip=srv.ip.ip.210, TLS, session=<ExtXPT9Pu55P724P>
May 11 15:05:20 Servername dovecot: imap-login: Login: user=<[email protected]>, method=CRAM-MD5, rip=192.ip.ip.ip, lip=srv.ip.ip.210, mpid=22328, TLS, session=<ojQ8PT9PvM1P724P>
May 11 15:05:20 Servername dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=192.ip.ip.ip, lip=srv.ip.ip.210, mpid=22329, TLS, session=<Ubx7PT9PvZ5P724P>
May 11 15:05:22 Servername dovecot: imap-login: Disconnected (auth failed, 1 attempts in 7 secs): user=<[email protected]>, method=DIGEST-MD5, rip=192.ip.ip.ip, lip=srv.ip.ip.210, TLS, session=<TA1yPT9PvJ5P724P>
May 11 15:05:22 Servername dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=192.ip.ip.ip, lip=srv.ip.ip.210, mpid=22398, TLS, session=<dvfXPT9Pvp5P724P>
May 11 15:20:36 Servername dovecot: imap-login: Login: user=<[email protected]>, method=CRAM-MD5, rip=192.ip.ip.ip, lip=srv.ip.ip.210, mpid=24981, TLS, session=<iy5OdD9PRM5P724P>
May 11 15:22:37 Servername dovecot: imap-login: Login: user=<[email protected]>, method=CRAM-MD5, rip=192.ip.ip.ip, lip=srv.ip.ip.210, mpid=25385, TLS, session=<+RyHez9PTc5P724P>
May 11 15:22:38 Servername dovecot: imap-login: Login: user=<[email protected]>, method=CRAM-MD5, rip=192.ip.ip.ip, lip=srv.ip.ip.210, mpid=25387, TLS, session=<MHaOez9PT85P724P>
May 11 15:22:38 Servername dovecot: imap-login: Login: user=<[email protected]>, method=CRAM-MD5, rip=192.ip.ip.ip, lip=srv.ip.ip.210, mpid=25391, TLS, session=<LASaez9PUc5P724P>
May 11 15:23:46 Servername dovecot: service=imap, [email protected], ip=[192.ip.ip.ip]. Connection closed (IDLE running for 0.001 + waiting input for 1105.500 secs, 2 B in + 10+0 B out, state=wait-input) rcvd=683, sent=62186
May 11 15:35:15 Servername dovecot: service=imap, [email protected], ip=[192.ip.ip.ip]. Disconnected for inactivity rcvd=190, sent=1833
May 11 15:35:22 Servername dovecot: service=imap, [email protected], ip=[192.ip.ip.ip]. Disconnected for inactivity rcvd=95, sent=867
May 11 15:35:23 Servername dovecot: service=imap, [email protected], ip=[192.ip.ip.ip]. Disconnected for inactivity rcvd=238, sent=2130
May 11 15:52:39 Servername dovecot: service=imap, [email protected], ip=[192.ip.ip.ip]. Disconnected for inactivity rcvd=218, sent=774
May 11 16:09:38 Servername dovecot: imap-login: Login: user=<[email protected]>, method=CRAM-MD5, rip=192.ip.ip.ip, lip=srv.ip.ip.210, mpid=809, TLS, session=<41ikI0BP2c9P724P>

 

[daanse]

Hi @Linulex ,

thank you, i know that Port
This i just saw, as he got banned again.
Its an Androidphone, i think Laptop is working but Android not.
And i remeber that i setup Android phone by myself some time ago.
I had not much options to choose and i definetily setup secure Hostname, used secure Ports and so on.

For my understanding: Wrong Settings can work but always get somehow banned from Fail2ban because it triggers a fail?
This is what i'm talking all the time and what i really don't understand. Why handling false Settings with BAN.
Better would be if false settings wont work at all. In my examples false Settings works but get randomly banned.
And i didn't changed f2b Filters.

Are there more advanced Filters which in this case could be used? I really don't like regex.....

 grep '192.ip.ip.ip' /usr/local/psa/var/log/maillog
May 11 09:01:39 Servername dovecot: service=imap, [email protected], ip=[192.ip.ip.ip]. Connection closed rcvd=453, sent=2825
May 11 09:01:39 Servername dovecot: service=imap, [email protected], ip=[192.ip.ip.ip]. Connection closed rcvd=129, sent=1004
May 11 09:01:39 Servername dovecot: service=imap, [email protected], ip=[192.ip.ip.ip]. Connection closed rcvd=148, sent=1469
May 11 09:01:41 Servername dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<[email protected]>, method=DIGEST-MD5, rip=192.ip.ip.ip, lip=srv.ip.ip.210, TLS, session=<Xo4WKTpPOpZP724P>
May 11 09:01:46 Servername dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=192.ip.ip.ip, lip=srv.ip.ip.210, mpid=5135, TLS: Disconnected, session=<D8xAKTpPP5ZP724P>
May 11 09:01:46 Servername dovecot: service=imap, [email protected], ip=[192.ip.ip.ip]. Connection closed rcvd=0, sent=348
May 11 09:02:05 Servername dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<[email protected]>, method=DIGEST-MD5, rip=192.ip.ip.ip, lip=srv.ip.ip.210, TLS, session=<s2p8KjpPZpZP724P>
May 11 09:02:09 Servername dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=192.ip.ip.ip, lip=srv.ip.ip.210, mpid=5161, TLS, session=<VJqhKjpPZ5ZP724P>
May 11 09:02:13 Servername dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<[email protected]>, method=DIGEST-MD5, rip=192.ip.ip.ip, lip=srv.ip.ip.210, TLS, session=<iiP9KjpPaJZP724P>
May 11 09:02:17 Servername dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=192.ip.ip.ip, lip=srv.ip.ip.210, mpid=5181, TLS, session=<2yUdKzpPapZP724P>
May 11 09:20:22 Servername dovecot: service=imap, [email protected], ip=[192.ip.ip.ip]. Connection closed rcvd=0, sent=348
May 11 09:32:11 Servername dovecot: service=imap, [email protected], ip=[192.ip.ip.ip]. Disconnected for inactivity rcvd=194, sent=1632
May 11 15:04:57 Servername dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<[email protected]>, method=DIGEST-MD5, rip=192.ip.ip.ip, lip=srv.ip.ip.210, TLS, session=<yK84PD9Pqp5P724P>
May 11 15:05:01 Servername dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=192.ip.ip.ip, lip=srv.ip.ip.210, mpid=21830, TLS, session=<OQNbPD9Prp5P724P>
May 11 15:05:04 Servername dovecot: imap-login: Disconnected (auth failed, 1 attempts in 7 secs): user=<[email protected]>, method=DIGEST-MD5, rip=192.ip.ip.ip, lip=srv.ip.ip.210, TLS, session=<XW1WPD9PrJ5P724P>
May 11 15:05:04 Servername dovecot: imap-login: Disconnected (auth failed, 1 attempts in 7 secs): user=<[email protected]>, method=DIGEST-MD5, rip=192.ip.ip.ip, lip=srv.ip.ip.210, TLS, session=<lYpZPD9PrZ5P724P>
May 11 15:05:04 Servername dovecot: imap-login: Disconnected (auth failed, 1 attempts in 7 secs): user=<[email protected]>, method=DIGEST-MD5, rip=192.ip.ip.ip, lip=srv.ip.ip.210, TLS, session=<y7BdPD9Pr55P724P>
May 11 15:05:04 Servername dovecot: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<[email protected]>, method=DIGEST-MD5, rip=192.ip.ip.ip, lip=srv.ip.ip.210, TLS, session=<+GNmPD9PsJ5P724P>
May 11 15:05:04 Servername dovecot: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<[email protected]>, method=DIGEST-MD5, rip=192.ip.ip.ip, lip=srv.ip.ip.210, TLS, session=<PV1mPD9PsZ5P724P>
May 11 15:05:04 Servername dovecot: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<[email protected]>, method=DIGEST-MD5, rip=192.ip.ip.ip, lip=srv.ip.ip.210, TLS, session=<2XNpPD9Psp5P724P>
May 11 15:05:04 Servername dovecot: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<[email protected]>, method=DIGEST-MD5, rip=192.ip.ip.ip, lip=srv.ip.ip.210, TLS, session=<4Q1tPD9Ps55P724P>
May 11 15:05:12 Servername dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=192.ip.ip.ip, lip=srv.ip.ip.210, mpid=22225, TLS, session=<SfrGPD9Ptp5P724P>
May 11 15:05:12 Servername dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=192.ip.ip.ip, lip=srv.ip.ip.210, mpid=22226, TLS, session=<YwvHPD9PtZ5P724P>
May 11 15:05:12 Servername dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=192.ip.ip.ip, lip=srv.ip.ip.210, mpid=22228, TLS, session=<hBvHPD9PtJ5P724P>
May 11 15:05:12 Servername dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=192.ip.ip.ip, lip=srv.ip.ip.210, mpid=22229, TLS, session=<iHXHPD9Pt55P724P>
May 11 15:05:12 Servername dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=192.ip.ip.ip, lip=srv.ip.ip.210, mpid=22230, TLS, session=<G97HPD9PuJ5P724P>
May 11 15:05:12 Servername dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=192.ip.ip.ip, lip=srv.ip.ip.210, mpid=22231, TLS, session=<zfLHPD9Pup5P724P>
May 11 15:05:12 Servername dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=192.ip.ip.ip, lip=srv.ip.ip.210, mpid=22232, TLS, session=<3BnIPD9PuZ5P724P>
May 11 15:05:13 Servername dovecot: service=imap, [email protected], ip=[192.ip.ip.ip]. Connection closed rcvd=95, sent=829
May 11 15:05:13 Servername dovecot: service=imap, [email protected], ip=[192.ip.ip.ip]. Connection closed rcvd=76, sent=654
May 11 15:05:16 Servername dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<[email protected]>, method=DIGEST-MD5, rip=192.ip.ip.ip, lip=srv.ip.ip.210, TLS, session=<ExtXPT9Pu55P724P>
May 11 15:05:20 Servername dovecot: imap-login: Login: user=<[email protected]>, method=CRAM-MD5, rip=192.ip.ip.ip, lip=srv.ip.ip.210, mpid=22328, TLS, session=<ojQ8PT9PvM1P724P>

WE HAVE TESTED IT WITH Android 7.0 (Samsung S6)
and we set everything up to SSL and to normal, without SSL.
And the Log shows everytime i refresh for new Emails:
imap-login: Disconnected (auth failed, 1 attempts in 10 secs) method=DIGEST-MD5
imap-login: Login: user=<.....>, method=PLAIN,

SO It logins, fails and next second success. It works half like i said

Really crapy. I can't use E-Mail on that Device.

-----

I can't use that Device, there is something wrong with mech_list: DIGEST-MD5 CRAM-MD5 PLAIN LOGIN in smtpd.conf or something.

Anyone have some good adjustments tips?

 

[Linulex]

Wrong settings NEVER work, thats why they are called wrong. Its just that they will get banned after 5 times seen in the log.

May 11 09:01:41 Servername dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<[email protected]>, method=DIGEST-MD5, rip=192.ip.ip.ip, lip=srv.ip.ip.210, TLS, session=<Xo4WKTpPOpZP724P>

I am pretty sure "auth failed" is a wrong setting.

As i sayd in an earlier post:
You need to compare the logs with the jails/filters to see what triggered the filter

then:
a) or disable the jail
b) or adjust the filter
c) or inform the client to change there login method so they don't trigger the filter.

c is the best action.

If machine A (laptop) works fine and machine B (android phone) doesn't work, then the problem isn't the filter or fail2ban, its the phone and they way it want to connect to the server, then the login method of that machine should be adjusted.
If the client does not know how to do that i suggest contacting the creator of the software.

Regards
Jan

 

[daanse]

@Linulex i setup the Android Phone by myself, with 100% correct Settings.

a) with unsecure Server/ Ports and so on.
b) with secure Hostname and Ports .....

The phone is stupid. The phone always uses DIGEST-MD5 in first place, even i told him not to.......

 

[Linulex]

If the filter says digest-md5 is not permitted and you try to connect with digest-md5 then it is not the filters fault. Just the opposite, the filter works perfect and as intended.

You keep saying its wrong, while the filter only does what it is told to do, and while we keep giving the answer.

For the last time: you need to:

or adjust the filter
or login different

If android always uses digest-md5, even when you told it not to and you don't want to adjust the filter, then you need to get support from the makers of android on how to disable it.

regards
Jan

 

[daanse]

Hi @Linulex,

i can't adjust the Filter... I have another possible Solution / Question.
regarding SMTP outgoing connection over TLS does not work in Outlook and i also noticed that Problem with a Outlook Client before do i have to change something in my /etc/postfix/main.cf?
I have noticed following adjustments:


Probably this is causing this stupid fails?
Because i don't remember to have this Issue with other Servers.

 

[Linulex]

First of all: you need to establish what your question is and from that you can start finding out what the problem is.

Is it postfix or dovecot ? These are 2 very different servers that do very different things, yet you mix them as if they are one and the same.

Why can't you adjust your filter? If you have access to /etc/postfix/main.cf then you also have access to the fail2ban filter.

I already gave the answer:

or adjust the filter
or login different

regards
Jan

 

[daanse]

hi @Linulex,

That's "my"/ Plesks Filter.

[INCLUDES]
before = common.conf

[Definition]
_daemon = (auth|dovecot(-auth)?|auth-worker)
failregex = ^%(__prefix_line)s(pam_unix(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$
    ^%(__prefix_line)s(pop3|imap|managesieve)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity|: Too many invalid commands\.)? \(((auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>(, lip=(\d{1,3}\.){3}\d{1,3})?(, TLS( handshaking(: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$
    ^%(__prefix_line)s(Info|dovecot: auth\(default\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$
ignoreregex =

I have no clue about regex.

i messed around, sorry. Its definitely on dovecot (imap-login).
It trigges a Fail wether i setup Secure Connection or NONSECURE.
The Android Phone always goes on method=DIGEST-MD5 and than Plain.
And if it goes on method=DIGEST-MD5 it always triggers a Fail.

So like i said: It works few times and than he gets BANNED.

I can't do anything here as the Mobilephone triggers a Fail and or has a Problem with Plesk's DIGEST-MD5 / Cipher or whatever.

Maybe there is a way to ensure that first method will always be PLAIN to login?
Can i set dovecot to force PLAIN for unsecure connectionos or something. ...

 

[trialotto]

@daanse,

First, I have to be honest and state that I did not follow the thread completely.

In response to your (last) post, the following remarks have to and/or can be made.

You asked

Can i set dovecot to force PLAIN for unsecure connectionos or something. ...

and the answer would be: yes, but you should not.

The PLAIN method simply is associated with increased security risks.

Furthermore, you stated

So like i said: It works few times and than he gets BANNED.
I can't do anything here as the Mobilephone triggers a Fail and or has a Problem with Plesk's DIGEST-MD5 / Cipher or whatever.

and that is a clear indication that one (or two) jails are not functioning properly.

I would strongly suggest that you

1 - use a higher value for maxretry in the jail in question, (and)
2 - (if necessary) post relevant log output (please do a "grep" and only provide the lines associated with mobile connections)

and you should be aware of the fact that the root cause of the problem is probably not Fail2Ban and/or jails or filters used by Fail2Ban: in most cases, the "odd behaviour" is originating from the client on the mobile device (for instance, an improper client can cause a lot of connections or even retries with different login methods).

Hope the above helps a bit.

Regards!

 

[sinapseredes]

The same here, the regex expression on Fail2Ban filter must be ajusted BY PLESK to consider timeout failed logins.