Jens Johansson
Basic Pleskian
Username:
TITLE
fail2ban plesk-doecot not matching failed logins
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE
Plesk Obsidian 18.0.73#3
CloudLinux 8.10
PROBLEM DESCRIPTION
The log format of dovecot for failed logins has changed. This is why the fail2ban plesk-dovecot jail is no longer able to catch failed logins from dovecot.
Compare the lines in the logs. The first line is from the old and beneath the new log:
STEPS TO REPRODUCE
Create a file with the following content:
Run
ACTUAL RESULT
EXPECTED RESULT
The result should be:
Lines: 2 lines, 0 ignored, 2 matched, 0 missed
ANY ADDITIONAL INFORMATION
To fix the failregex I altered the second line of the failregex:
YOUR EXPECTATIONS FROM PLESK SERVICE TEAM
Confirm bug
TITLE
fail2ban plesk-doecot not matching failed logins
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE
Plesk Obsidian 18.0.73#3
CloudLinux 8.10
PROBLEM DESCRIPTION
The log format of dovecot for failed logins has changed. This is why the fail2ban plesk-dovecot jail is no longer able to catch failed logins from dovecot.
Compare the lines in the logs. The first line is from the old and beneath the new log:
Oct 15 22:00:00 server dovecot[1234]: imap-login: Disconnected: Connection closed (auth failed, 3 attempts in 5 secs): user=<[email protected]>, method=PLAIN, rip=100.100.100.100, lip=127.0.0.1, TLS, session=<xxx>
Oct 17 07:20:00 server dovecot[1234]: pop3-login: Login aborted: Connection closed (auth failed, 3 attempts in 5 secs) (auth_failed): user=<[email protected]>, method=PLAIN, rip=200.200.200.200, lip=127.0.0.1, TLS, session=<xxx>
STEPS TO REPRODUCE
Create a file with the following content:
Oct 15 22:00:00 server dovecot[1234]: imap-login: Disconnected: Connection closed (auth failed, 3 attempts in 5 secs): user=<[email protected]>, method=PLAIN, rip=100.100.100.100, lip=127.0.0.1, TLS, session=<xxx>
Oct 17 07:20:00 server dovecot[1234]: pop3-login: Login aborted: Connection closed (auth failed, 3 attempts in 5 secs) (auth_failed): user=<[email protected]>, method=PLAIN, rip=200.200.200.200, lip=127.0.0.1, TLS, session=<xxx>
Run
fail2ban-regex testfile.name /etc/fail2ban/filter.d/plesk-dovecot.conf
where testfile.name is the file you just created. Only one line matches, while the new log format is missed by the failregex.ACTUAL RESULT
Code:
Running tests
=============
Use filter file : plesk-dovecot, basedir: /etc/fail2ban
Use datepattern : {^LN-BEG}TAI64N
{^LN-BEG} : Default Detectors
Use log file : ./testfile.name
Use encoding : UTF-8
Results
=======
Prefregex: 2 total
| ^(?:\[\])?\s*(?:<[^.]+\.[^.]+>\s+)?(?:\S+\s+)?(?:kernel:\s?\[ *\d+\.\d+\]:?\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?(?:dovecot(?:-auth)?|auth)(?:\(\S+\))?[\]\)]?:?|[\[\(]?(?:dovecot(?:-auth)?|auth)(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID \d+ \S+\]\s+)?(?:(?:dovecot: )?auth(?:-worker)?(?:\([^\)]+\))?: )?(?:pam_unix(?:\(dovecot:auth\))?: |(?:pop3|imap|managesieve|submission)-login: )?(?:Info: )?(?:conn \w+:auth(?:-worker)? \([^\)]+\): auth(?:-worker)?<\d+>: )?(?P<content>.+)$
`-
Failregex: 1 total
|- #) [# of hits] regular expression
| 2) [1] ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)(?:: (?:\w+\([^\):]*\) \w+|[^\(]+))* \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\):(?: user=<<F-USER>[^>]*</F-USER>>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [2] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-
Lines: 2 lines, 0 ignored, 1 matched, 1 missed
[processed in 0.00 sec]
|- Missed line(s):
| Oct 17 07:20:00 server dovecot[1234]: pop3-login: Login aborted: Connection closed (auth failed, 3 attempts in 5 secs) (auth_failed): user=<[email protected]>, method=PLAIN, rip=200.200.200.200, lip=127.0.0.1, TLS, session=<xxx>
`-
EXPECTED RESULT
The result should be:
Lines: 2 lines, 0 ignored, 2 matched, 0 missed
ANY ADDITIONAL INFORMATION
To fix the failregex I altered the second line of the failregex:
^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)%(_bypass_reject_reason)s \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\):(?: user=<<F-USER>[^>]*</F-USER>>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
to:^(?:Aborted login[B]|Login aborted[/B]|Disconnected|Remote closed connection|Client has quit the connection)%(_bypass_reject_reason)s \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\)[B]\s*(|\(auth_failed\))[/B]:(?: user=<<F-USER>[^>]*</F-USER>>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
YOUR EXPECTATIONS FROM PLESK SERVICE TEAM
Confirm bug