Почему на работает fail2ban?

Question

[Андрей]

Добрый день
Имеем
Debian12 + iptables+ fail2ban+postfix+dovecot

Необходимо защитить 143 порт от подбора пароля( фильтр для блокировки юзаю тот что идёт с fail2ban )

/etc/fail2ban/jail.d/dovecot.conf

[dovecot]
enabled = true

/etc/fail2ban/filter.d/dovecot.conf

# Fail2Ban filter Dovecot authentication and pop3/imap server
#

[INCLUDES]

before = common.conf

[Definition]

_daemon = (?:dovecot(?:-auth)?|auth)

_auth_worker = (?:dovecot: )?auth(?:-worker)?
_auth_worker_info = (?:conn \w+:auth(?:-worker)? \([^\)]+\): auth(?:-worker)?<\d+>: )?
_bypass_reject_reason = (?:: (?:\w+\([^\):]*\) \w+|[^\(]+))*

prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?: )?(?:%(__pam_auth)s(?:\(dovecot:auth\))?: |(?:pop3|imap|managesieve|submission)-login: )?(?:Info: )?%(_auth_worker_info)s<F-CONTENT>.+</F-CONTENT>$

failregex = ^authentication failure; logname=<F-ALT_USER1>\S*</F-ALT_USER1> uid=\S* euid=\S* tty=dovecot ruser=<F-USER>\S*</F-USER> rhost=<HOST>(?:\s+user=<F-ALT_USER>\S*</F-ALT_USER>)?\s*$
            ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)%(_bypass_reject_reason)s \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\):(?: user=<<F-USER>[^>]*</F-USER>>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
            ^pam\(\S+,<HOST>(?:,\S*)?\): pam_authenticate\(\) failed: (?:User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \([Pp]assword mismatch\?\)|Permission denied)\s*$
            ^[a-z\-]{3,15}\(\S*,<HOST>(?:,\S*)?\): (?:[Uu]nknown user|[Ii]nvalid credentials|[Pp]assword mismatch)
            <mdre-<mode>>

mdre-aggressive = ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)%(_bypass_reject_reason)s \((?:no auth attempts|disconnected before auth was ready,|client didn't finish \S+ auth,)(?: (?:in|waited) \d+ secs)?\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$

mdre-normal =

# Parameter `mode` - `normal` or `aggressive`.
# Aggressive mode can be used to match log-entries like:
#   'no auth attempts', 'disconnected before auth was ready', 'client didn't finish SASL auth'.
# Note it may produce lots of false positives on misconfigured MTAs.
# Ex.:
# filter = dovecot[mode=aggressive]
mode = normal

ignoreregex =

journalmatch = _SYSTEMD_UNIT=dovecot.service

datepattern = {^LN-BEG}TAI64N
              {^LN-BEG}

# DEV Notes:
# * the first regex is essentially a copy of pam-generic.conf
# * Probably doesn't do dovecot sql/ldap backends properly (resolved in edit 21/03/2016)
#
# Author: Martin Waschbuesch
#         Daniel Black (rewrote with begin and end anchors)
#         Martin O'Neal (added LDAP authentication failure regex)
#         Sergey G. Brester aka sebres (reviewed, optimized, IPv6-compatibility)

В fail2ban.log вижу

2024-11-07 15:58:41,904 fail2ban.filter         [454408]: INFO    [dovecot] Found  *.*.37.198 - 2024-11-07 15:58:41

Но блокировка не срабатывает, подскажите в чем ошибка ?

Comments

[agpecam]

А jail.local в соответствии с jail.conf(5) man page вы настраивали? Судя по всему, не прописаны экшены. Вот так для примера выглядит работающая секция для сого:

[sogo-auth]
# Monitor SOGo groupware server
# without proxy this would be:
# port    = 20000
enabled  = true
port     = http,https
filter   = sogo-auth
action   = iptables-multiport[name=sogo,port="http,https", protocol=tcp]
logpath  = /var/log/sogo/sogo.log
bantime  = 86400
findtime = 360

Answer 1

[Андрей]

Проблема решена

Создаем mcedit /etc/fail2ban/jail.local

[dovecot]
enabled = true
filter = dovecot
port = imap,imaps,pop3,pop3s
action = iptables-multiport[name=dovecot, port="imap,imaps,pop3,pop3s", protocol=tcp]
bantime = 60m
maxretry = 3
findtime = 60m