• Plesk Uservoice will be deprecated by October. Moving forward, all product feature requests and improvement suggestions will be managed through our new platform Plesk Productboard.
    To continue sharing your ideas and feedback, please visit features.plesk.com

Forwarded to devs fail2ban plesk-doecot not matching failed logins

J

Jens Johansson

Basic Pleskian
Username:

TITLE

fail2ban plesk-doecot not matching failed logins

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

Plesk Obsidian 18.0.73#3
CloudLinux 8.10

PROBLEM DESCRIPTION

The log format of dovecot for failed logins has changed. This is why the fail2ban plesk-dovecot jail is no longer able to catch failed logins from dovecot.

Compare the lines in the logs. The first line is from the old and beneath the new log:
Oct 15 22:00:00 server dovecot[1234]: imap-login: Disconnected: Connection closed (auth failed, 3 attempts in 5 secs): user=<[email protected]>, method=PLAIN, rip=100.100.100.100, lip=127.0.0.1, TLS, session=<xxx>
Oct 17 07:20:00 server dovecot[1234]: pop3-login: Login aborted: Connection closed (auth failed, 3 attempts in 5 secs) (auth_failed): user=<[email protected]>, method=PLAIN, rip=200.200.200.200, lip=127.0.0.1, TLS, session=<xxx>

STEPS TO REPRODUCE

Create a file with the following content:
Oct 15 22:00:00 server dovecot[1234]: imap-login: Disconnected: Connection closed (auth failed, 3 attempts in 5 secs): user=<[email protected]>, method=PLAIN, rip=100.100.100.100, lip=127.0.0.1, TLS, session=<xxx>
Oct 17 07:20:00 server dovecot[1234]: pop3-login: Login aborted: Connection closed (auth failed, 3 attempts in 5 secs) (auth_failed): user=<[email protected]>, method=PLAIN, rip=200.200.200.200, lip=127.0.0.1, TLS, session=<xxx>

Run fail2ban-regex testfile.name /etc/fail2ban/filter.d/plesk-dovecot.conf where testfile.name is the file you just created. Only one line matches, while the new log format is missed by the failregex.

ACTUAL RESULT

Code: 
Running tests
=============

Use      filter file : plesk-dovecot, basedir: /etc/fail2ban
Use      datepattern : {^LN-BEG}TAI64N
{^LN-BEG} : Default Detectors
Use         log file : ./testfile.name
Use         encoding : UTF-8


Results
=======

Prefregex: 2 total
|  ^(?:\[\])?\s*(?:<[^.]+\.[^.]+>\s+)?(?:\S+\s+)?(?:kernel:\s?\[ *\d+\.\d+\]:?\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?(?:dovecot(?:-auth)?|auth)(?:\(\S+\))?[\]\)]?:?|[\[\(]?(?:dovecot(?:-auth)?|auth)(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID \d+ \S+\]\s+)?(?:(?:dovecot: )?auth(?:-worker)?(?:\([^\)]+\))?: )?(?:pam_unix(?:\(dovecot:auth\))?: |(?:pop3|imap|managesieve|submission)-login: )?(?:Info: )?(?:conn \w+:auth(?:-worker)? \([^\)]+\): auth(?:-worker)?<\d+>: )?(?P<content>.+)$
`-

Failregex: 1 total
|-  #) [# of hits] regular expression
|   2) [1] ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)(?:: (?:\w+\([^\):]*\) \w+|[^\(]+))* \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\):(?: user=<<F-USER>[^>]*</F-USER>>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [2] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-

Lines: 2 lines, 0 ignored, 1 matched, 1 missed
[processed in 0.00 sec]

|- Missed line(s):
|  Oct 17 07:20:00 server dovecot[1234]: pop3-login: Login aborted: Connection closed (auth failed, 3 attempts in 5 secs) (auth_failed): user=<[email protected]>, method=PLAIN, rip=200.200.200.200, lip=127.0.0.1, TLS, session=<xxx>
`-

EXPECTED RESULT

The result should be:
Lines: 2 lines, 0 ignored, 2 matched, 0 missed

ANY ADDITIONAL INFORMATION

To fix the failregex I altered the second line of the failregex: ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)%(_bypass_reject_reason)s \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\):(?: user=<<F-USER>[^>]*</F-USER>>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$ to:

^(?:Aborted login[B]|Login aborted[/B]|Disconnected|Remote closed connection|Client has quit the connection)%(_bypass_reject_reason)s \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\)[B]\s*(|\(auth_failed\))[/B]:(?: user=<<F-USER>[^>]*</F-USER>>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$

YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Confirm bug
 
You must log in or register to reply here.

Similar threads

G
Resolved Fail2ban plesk-dovecot does not ban bad logins
Replies
3
Views
186
GwenDragon
G
austriadesign
Issue Custom Dovecot Config fails (2.4) – Need Help
Replies
0
Views
286
austriadesign
austriadesign
C
Question Plesk Obsidian 18.0.65 Update 2 imap-login: Disconnected: Connection closed (auth failed
Replies
3
Views
2K
Compy
C
wakabayashi
Resolved Fail2Ban - Postfix not working for SASL (bug?)
Replies
4
Views
4K
mizar
mizar
Dork
Question Watchdog problem
Replies
3
Views
1K
mow
M
Back
Top