• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Resolved Fail2ban for dovecot jail not working properly

S

Sebo

New Pleskian
Hi all,

I've having a lot of requests (about 1000 a day) like this in my /var/log/maillog:
imap-login: Disconnected: Connection closed: SSL_accept() failed: error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low (no auth attempts in 0 secs): user=<>, rip=XXX.XXX.XXX.XXX, lip=XXX.XXX.XXX.XXX, TLS handshaking: SSL_accept() failed: error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low, session=<sLnevzfVK/pOgHAS>
Click to expand...

Fail2ban with the plesk-dovecot jail is activated but is not blocking although requests are coming multiple times from the same IP within the time interval.

Basically Fail2ban is working for other jails but not for dovecot.

I'm running Plesk 18.0.40 on Ubuntu 20.04.3 LTS.

Thanks for you support!
 
Hello Sebo,

The log entry indicates that the SMTP client of a person who tries to connect to your mail server is using a protocol lower than your server (for example, you support TLSv1.3, but a client supports only TLSv1.1), so I think it is expected that these entries are ignored and not banned as it is not an authorization failure.
In order to prove it you can check it manually using 'fail2ban-regex' utility.

Here is an example for 'plesk-roundcube' fail.
Please paste your own full entry and .conf path (by default it is '/etc/fail2ban/filter.d/plesk-dovecot.conf'):

Code: 
fail2ban-regex '[11-Jan-2022 08:56:00 +0000]: <kn6c4v6e> IMAP Error: Login failed for [email protected] against localhost from 1.2.3.4(X-Real-IP: 1.2.3.4). AUTHENTICATE PLAIN: Authentication failed. in /usr/share/psa-roundcube/program/lib/Roundcube/rcube_imap.php on line 200 (POST /roundcube/?_task=login&_action=login)' /etc/fail2ban/filter.d/plesk-roundcube.conf
...
...

Failregex: 1 total
|-  #) [# of hits] regular expression
|   1) [1] ^(?:FAILED login|Login failed) for <F-USER>.*</F-USER> from <HOST>(?:(?:\([^\)]*\))?\. (?:(?! from ).)*(?: user=(?P=user))? in \S+\.php on line \d+ \(\S+ \S+\))?$
`-
...
...
Lines: 1 lines, 0 ignored, 1 matched, 0 missed
[processed in 0.01 sec]

If you want to ban users according to the entry in your question, you can edit the jail. Additional information can be found at: MANUAL 0 8 - Fail2ban. Resolved - SSL_accept error from
 
Hi Aytalina,

thanks for you explanation and your example for fail2ban-regex.

I've tried it with /etc/fail2ban/filter.d/plesk-dovecot.conf and had no hits:
Code: 
fail2ban-regex 'Jan 11 00:52:49 hostXXXXX dovecot: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number (no auth attempts in 0 secs): user=<>, rip=XXX.XXX.XXX.XXX, lip=XXX.XXX.XXX.XXX, TLS handshaking: SSL_accept() failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number, session=<+gO6CEPVVIgjxpKj>' /etc/fail2ban/filter.d/plesk-dovecot.conf

Running tests
=============

Use   failregex filter file : plesk-dovecot, basedir: /etc/fail2ban
Use      datepattern : {^LN-BEG}TAI64N
{^LN-BEG} : Default Detectors
Use      single line : Jan 11 00:52:49 hostXXXXX dovecot: imap-login: Disc...


Results
=======

Prefregex: 1 total
|  ^(?:\[\])?\s*(?:<[^.]+\.[^.]+>\s+)?(?:\S+\s+)?(?:kernel:\s?\[ *\d+\.\d+\]:?\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?(?:dovecot(?:-auth)?|auth)(?:\(\S+\))?[\]\)]?:?|[\[\(]?(?:dovecot(?:-auth)?|auth)(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID \d+ \S+\]\s+)?(?:(?:dovecot: )?auth(?:-worker)?(?:\([^\)]+\))?: )?(?:pam_unix(?:\(dovecot:auth\))?: |(?:pop3|imap|managesieve)-login: )?(?:Info: )?(?P<content>.+)$
`-

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [1] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-

Lines: 1 lines, 0 ignored, 0 matched, 1 missed
[processed in 0.00 sec]

|- Missed line(s):
|  Jan 11 00:52:49 hostXXXXX dovecot: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number (no auth attempts in 0 secs): user=<>, rip=XXX.XXX.XXX.XXX, lip=XXX.XXX.XXX.XXX, TLS handshaking: SSL_accept() failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number, session=<+gO6CEPVVIgjxpKj>
`-

So the plesk-dovecot jail seems to work as expected.
I was just surprised by the number of failed requests and thought they were blocked by Fail2ban.

Thanks a lot
Sebo
 
Hello Sebo,

Thank you for the update.

As you can see from your output there is no match with the rules and your entry:
Code: 
Lines: 1 lines, 0 ignored, 0 matched, 1 missed
so, it is expected behaviour that these requests are not blocked.

If you want to block users, consider checking the link about customizations that I provided above.
 
You must log in or register to reply here.

Similar threads

B
Issue ERROR MAIL error:0A000102:SSL
Replies
1
Views
2K
Peter Debik
P
O
Question Mail Log / Dovecot
Replies
0
Views
732
othmaqsa
O
L
Resolved IMAP not working with STARTTLS or SSL/TLS Mailserver Dovecot Problem
Replies
3
Views
2K
lberens
L
tkalfaoglu
Issue Dovecot: Wrong Version Number
Replies
6
Views
7K
zwankie
zwankie
S
Question PostFix Dovecot Timeout
Replies
15
Views
2K
Maarten.
M
Back
Top