Forwarded to devs fail2ban plesk-doecot not matching failed logins

[Jens Johansson]

Username:

TITLE

fail2ban plesk-doecot not matching failed logins

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

Plesk Obsidian 18.0.73#3
CloudLinux 8.10

PROBLEM DESCRIPTION

The log format of dovecot for failed logins has changed. This is why the fail2ban plesk-dovecot jail is no longer able to catch failed logins from dovecot.

Compare the lines in the logs. The first line is from the old and beneath the new log:
Oct 15 22:00:00 server dovecot[1234]: imap-login: Disconnected: Connection closed (auth failed, 3 attempts in 5 secs): user=<[email protected]>, method=PLAIN, rip=100.100.100.100, lip=127.0.0.1, TLS, session=<xxx>
Oct 17 07:20:00 server dovecot[1234]: pop3-login: Login aborted: Connection closed (auth failed, 3 attempts in 5 secs) (auth_failed): user=<[email protected]>, method=PLAIN, rip=200.200.200.200, lip=127.0.0.1, TLS, session=<xxx>

STEPS TO REPRODUCE

Create a file with the following content:
Oct 15 22:00:00 server dovecot[1234]: imap-login: Disconnected: Connection closed (auth failed, 3 attempts in 5 secs): user=<[email protected]>, method=PLAIN, rip=100.100.100.100, lip=127.0.0.1, TLS, session=<xxx>
Oct 17 07:20:00 server dovecot[1234]: pop3-login: Login aborted: Connection closed (auth failed, 3 attempts in 5 secs) (auth_failed): user=<[email protected]>, method=PLAIN, rip=200.200.200.200, lip=127.0.0.1, TLS, session=<xxx>

Run fail2ban-regex testfile.name /etc/fail2ban/filter.d/plesk-dovecot.conf where testfile.name is the file you just created. Only one line matches, while the new log format is missed by the failregex.

ACTUAL RESULT

Running tests
=============

Use      filter file : plesk-dovecot, basedir: /etc/fail2ban
Use      datepattern : {^LN-BEG}TAI64N
{^LN-BEG} : Default Detectors
Use         log file : ./testfile.name
Use         encoding : UTF-8


Results
=======

Prefregex: 2 total
|  ^(?:\[\])?\s*(?:<[^.]+\.[^.]+>\s+)?(?:\S+\s+)?(?:kernel:\s?\[ *\d+\.\d+\]:?\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?(?:dovecot(?:-auth)?|auth)(?:\(\S+\))?[\]\)]?:?|[\[\(]?(?:dovecot(?:-auth)?|auth)(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID \d+ \S+\]\s+)?(?:(?:dovecot: )?auth(?:-worker)?(?:\([^\)]+\))?: )?(?:pam_unix(?:\(dovecot:auth\))?: |(?:pop3|imap|managesieve|submission)-login: )?(?:Info: )?(?:conn \w+:auth(?:-worker)? \([^\)]+\): auth(?:-worker)?<\d+>: )?(?P<content>.+)$
`-

Failregex: 1 total
|-  #) [# of hits] regular expression
|   2) [1] ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)(?:: (?:\w+\([^\):]*\) \w+|[^\(]+))* \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\):(?: user=<<F-USER>[^>]*</F-USER>>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [2] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-

Lines: 2 lines, 0 ignored, 1 matched, 1 missed
[processed in 0.00 sec]

|- Missed line(s):
|  Oct 17 07:20:00 server dovecot[1234]: pop3-login: Login aborted: Connection closed (auth failed, 3 attempts in 5 secs) (auth_failed): user=<[email protected]>, method=PLAIN, rip=200.200.200.200, lip=127.0.0.1, TLS, session=<xxx>
`-

EXPECTED RESULT

The result should be:
Lines: 2 lines, 0 ignored, 2 matched, 0 missed

ANY ADDITIONAL INFORMATION

To fix the failregex I altered the second line of the failregex: ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)%(_bypass_reject_reason)s \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\):(?: user=<<F-USER>[^>]*</F-USER>>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$ to:

^(?:Aborted login[B]|Login aborted[/B]|Disconnected|Remote closed connection|Client has quit the connection)%(_bypass_reject_reason)s \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\)[B]\s*(|\(auth_failed\))[/B]:(?: user=<<F-USER>[^>]*</F-USER>>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$

YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Confirm bug

 

[Jens Johansson]

The better solution is to use the new fail2ban filter for dovecot 2.4, found here: https://raw.githubusercontent.com/fail2ban/fail2ban/refs/heads/master/config/filter.d/dovecot.conf

 

[Sebahat.hadzhi]

Thank you for the report, @Jens Johansson . I forwarded it to our engineers for further review. I will follow-up with more details as soon as possible.

 

[Sebahat.hadzhi]

@Jens Johansson , our team registered the case as a bug with ID PPPM-15164. At this point, I cannot confirm the exact ETA for the release. You can monitor the changelog here. I will also follow-up with confirmation once there are more details. Until the bug is fixed, our team recommends using the correct failregex line from

• https://raw.githubusercontent.com/fail2ban/fail2ban/refs/heads/master/config/filter.d/dovecot.conf

 

[HHawk]

@Jens Johansson thank you for reporting this, I noticed this behaviour as well, however only early morning (today).