Fail2ban no está prohibiendo IP

Software: Centos 7 (con firewallD) fail2ban 0.9.5 dovecot 2.2.10

Estoy tratando de configurar fail2ban en mi server de correo, para protegerlo de inicio de session de fuerza bruta a través de imap (dovecot). Ahora mismo estoy atascado, y fail2ban todavía no funciona, a continuación están mis files de configuration:

en /var/log/fail2ban.log

2016-12-09 21:29:29,110 fail2ban.server [3712]: INFO Exiting Fail2ban 2016-12-09 21:29:29,306 fail2ban.server [4080]: INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.5 2016-12-09 21:29:29,306 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dbfile', '/var/lib/fail2ban/fail2ban.sqlite3'] 2016-12-09 21:29:29,307 fail2ban.database [4080]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3' 2016-12-09 21:29:29,309 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dbpurgeage', '86400'] 2016-12-09 21:29:29,310 fail2ban.transmitter [4080]: DEBUG Command: ['add', 'dovecot', 'systemd'] 2016-12-09 21:29:29,310 fail2ban.jail [4080]: INFO Creating new jail 'dovecot' 2016-12-09 21:29:29,335 fail2ban.jail [4080]: INFO Jail 'dovecot' uses systemd 2016-12-09 21:29:29,335 fail2ban.filter [4080]: DEBUG Setting usedns = warn for FilterSystemd(Jail('dovecot')) 2016-12-09 21:29:29,361 fail2ban.filter [4080]: DEBUG Created FilterSystemd(Jail('dovecot')) 2016-12-09 21:29:29,362 fail2ban.filtersystemd [4080]: DEBUG Created FilterSystemd 2016-12-09 21:29:29,362 fail2ban.jail [4080]: INFO Initiated 'systemd' backend 2016-12-09 21:29:29,363 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'usedns', 'warn'] 2016-12-09 21:29:29,363 fail2ban.filter [4080]: DEBUG Setting usedns = warn for FilterSystemd(Jail('dovecot')) 2016-12-09 21:29:29,364 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'maxretry', '1'] 2016-12-09 21:29:29,364 fail2ban.filter [4080]: INFO Set maxRetry = 1 2016-12-09 21:29:29,364 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'addignoreip', '127.0.0.1/8'] 2016-12-09 21:29:29,364 fail2ban.filter [4080]: DEBUG Add 127.0.0.1/8 to ignore list 2016-12-09 21:29:29,365 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'logencoding', 'auto'] 2016-12-09 21:29:29,366 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'bantime', '60000'] 2016-12-09 21:29:29,366 fail2ban.actions [4080]: INFO Set banTime = 60000 2016-12-09 21:29:29,366 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'ignorecommand', ''] 2016-12-09 21:29:29,367 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'findtime', '60000'] 2016-12-09 21:29:29,367 fail2ban.filter [4080]: INFO Set findtime = 60000 2016-12-09 21:29:29,368 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'addfailregex', 'auth-worker\\(\\S*\\): Info: sql\\(\\S*,<HOST>\\): Password mismatch\\s*$'] 2016-12-09 21:29:29,369 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'addfailregex', 'auth-worker\\(\\S*\\): Info: sql\\(\\S*,<HOST>\\): unknown user\\s*$'] 2016-12-09 21:29:29,371 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'addfailregex', '# ^(?:\\[\\])?\\s*(?:<[^.]+ [^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?(auth|dovecot(-auth)?|auth-worker)(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?(auth|dovecot(-auth)?|auth-worker)(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(pam_unix(\\(dovecot:auth\\))?:)?\\s+authentication failure; logname=\\S* uid=\\S* euid=\\S* tty=dovecot ruser=\\S* rhost=<HOST>(\\s+user=\\S*)?\\s*$'] 2016-12-09 21:29:29,376 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'addfailregex', '# ^(?:\\[\\])?\\s*(?:<[^.]+ [^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?(auth|dovecot(-auth)?|auth-worker)(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?(auth|dovecot(-auth)?|auth-worker)(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \\(((auth failed, \\d+ attempts)( in \\d+ secs)?|tried to use (disabled|disallowed) \\S+ auth)\\):( user=<\\S*>,)?( method=\\S+,)? rip=<HOST>(, lip=(\\d{1,3}\\.){3}\\d{1,3})?(, TLS( handshaking(: SSL_accept\\(\\) failed: error:[\\dA-F]+:SSL routines:[TLS\\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\\S+>)?\\s*$'] 2016-12-09 21:29:29,384 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'addfailregex', '# ^(?:\\[\\])?\\s*(?:<[^.]+ [^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?(auth|dovecot(-auth)?|auth-worker)(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?(auth|dovecot(-auth)?|auth-worker)(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(Info|dovecot: auth\\(default\\)|auth-worker\\(\\d+\\)): pam\\(\\S+,<HOST>\\): pam_authenticate\\(\\) failed: (User not known to the underlying authentication module: \\d+ Time\\(s\\)|Authentication failure \\(password mismatch\\?\\))\\s*$'] 2016-12-09 21:29:29,391 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'addfailregex', '# ^(?:\\[\\])?\\s*(?:<[^.]+ [^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?(auth|dovecot(-auth)?|auth-worker)(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?(auth|dovecot(-auth)?|auth-worker)(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(auth|auth-worker\\(\\d+\\)): (pam|passwd-file)\\(\\S+,<HOST>\\): unknown user\\s*$'] 2016-12-09 21:29:29,399 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'addfailregex', '# ^(?:\\[\\])?\\s*(?:<[^.]+ [^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?(auth|dovecot(-auth)?|auth-worker)(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?(auth|dovecot(-auth)?|auth-worker)(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(auth|auth-worker\\(\\d+\\)): Info: ldap\\(\\S*,<HOST>,\\S*\\): invalid cnetworkingentials\\s*$'] 2016-12-09 21:29:29,405 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'addfailregex', '# ^(?:\\[\\])?\\s*(?:<[^.]+ [^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?(auth|dovecot(-auth)?|auth-worker)(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?(auth|dovecot(-auth)?|auth-worker)(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(auth|auth-worker\\(\\d+\\)): Info: sql\\(\\S*,<HOST>\\): unknown user\\s*$'] 2016-12-09 21:29:29,412 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'addfailregex', '# ^(?:\\[\\])?\\s*(?:<[^.]+ [^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?(auth|dovecot(-auth)?|auth-worker)(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?(auth|dovecot(-auth)?|auth-worker)(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(auth|auth-worker\\(\\d+\\)): Info: sql\\(\\S*,<HOST>\\): Password mismatch\\s*$'] 2016-12-09 21:29:29,419 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'addjournalmatch', '_SYSTEMD_UNIT=dovecot.service'] 2016-12-09 21:29:29,419 fail2ban.filtersystemd [4080]: INFO Added journal match for: '_SYSTEMD_UNIT=dovecot.service' 2016-12-09 21:29:29,420 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'addaction', 'firewallcmd-ipset'] 2016-12-09 21:29:29,420 fail2ban.CommandAction [4080]: DEBUG Set action firewallcmd-ipset timeout = 60 2016-12-09 21:29:29,420 fail2ban.CommandAction [4080]: DEBUG Set actionstart = 2016-12-09 21:29:29,420 fail2ban.CommandAction [4080]: DEBUG Set actionban = 2016-12-09 21:29:29,420 fail2ban.CommandAction [4080]: DEBUG Set actionunban = 2016-12-09 21:29:29,420 fail2ban.CommandAction [4080]: DEBUG Set actioncheck = 2016-12-09 21:29:29,420 fail2ban.CommandAction [4080]: DEBUG Set actionstop = 2016-12-09 21:29:29,420 fail2ban.CommandAction [4080]: DEBUG Created <class 'fail2ban.server.action.CommandAction'> 2016-12-09 21:29:29,421 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'actionban', 'ipset add fail2ban-<name> <ip> timeout <bantime> -exist'] 2016-12-09 21:29:29,421 fail2ban.CommandAction [4080]: DEBUG Set actionban = ipset add fail2ban-<name> <ip> timeout <bantime> -exist 2016-12-09 21:29:29,422 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'actionstop', 'firewall-cmd --direct --remove-rule ipv4 filter <chain> 0 -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype>\nipset flush fail2ban-<name>\nipset destroy fail2ban-<name>'] 2016-12-09 21:29:29,422 fail2ban.CommandAction [4080]: DEBUG Set actionstop = firewall-cmd --direct --remove-rule ipv4 filter <chain> 0 -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype> ipset flush fail2ban-<name> ipset destroy fail2ban-<name> 2016-12-09 21:29:29,422 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'actionstart', 'ipset create fail2ban-<name> hash:ip timeout <bantime>\nfirewall-cmd --direct --add-rule ipv4 filter <chain> 0 -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype>'] 2016-12-09 21:29:29,422 fail2ban.CommandAction [4080]: DEBUG Set actionstart = ipset create fail2ban-<name> hash:ip timeout <bantime> firewall-cmd --direct --add-rule ipv4 filter <chain> 0 -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype> 2016-12-09 21:29:29,423 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'actionunban', 'ipset del fail2ban-<name> <ip> -exist'] 2016-12-09 21:29:29,423 fail2ban.CommandAction [4080]: DEBUG Set actionunban = ipset del fail2ban-<name> <ip> -exist 2016-12-09 21:29:29,424 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'protocol', 'tcp'] 2016-12-09 21:29:29,424 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'chain', 'INPUT'] 2016-12-09 21:29:29,424 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'lockingopt', '-w'] 2016-12-09 21:29:29,425 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/known/name', 'default'] 2016-12-09 21:29:29,425 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'blocktype', 'REJECT --reject-with icmp-port-unreachable'] 2016-12-09 21:29:29,426 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/lockingopt', '-w'] 2016-12-09 21:29:29,427 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/known/port', 'ssh'] 2016-12-09 21:29:29,427 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/protocol', 'tcp'] 2016-12-09 21:29:29,428 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/known/lockingopt', '-w'] 2016-12-09 21:29:29,428 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'port', 'pop3,pop3s,imap,imaps,submission,465,sieve'] 2016-12-09 21:29:29,429 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/known/chain', 'INPUT'] 2016-12-09 21:29:29,429 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/name', 'default'] 2016-12-09 21:29:29,430 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/known/protocol', 'tcp'] 2016-12-09 21:29:29,430 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/bantime', '600'] 2016-12-09 21:29:29,431 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'bantime', '60000'] 2016-12-09 21:29:29,431 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'iptables', 'iptables <lockingopt>'] 2016-12-09 21:29:29,432 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/__name__', 'Init'] 2016-12-09 21:29:29,432 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'returntype', 'RETURN'] 2016-12-09 21:29:29,432 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/returntype', 'RETURN'] 2016-12-09 21:29:29,433 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/known/__name__', 'Init'] 2016-12-09 21:29:29,433 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/known/returntype', 'RETURN'] 2016-12-09 21:29:29,434 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'name', 'dovecot'] 2016-12-09 21:29:29,434 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/known/blocktype', 'REJECT --reject-with icmp-port-unreachable'] 2016-12-09 21:29:29,435 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/port', 'ssh'] 2016-12-09 21:29:29,435 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/iptables', 'iptables <lockingopt>'] 2016-12-09 21:29:29,435 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/chain', 'INPUT_direct'] 2016-12-09 21:29:29,436 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/blocktype', 'REJECT --reject-with icmp-port-unreachable'] 2016-12-09 21:29:29,437 fail2ban.transmitter [4080]: DEBUG Command: ['set', 'dovecot', 'action', 'firewallcmd-ipset', 'known/known/iptables', 'iptables <lockingopt>'] 2016-12-09 21:29:29,437 fail2ban.transmitter [4080]: DEBUG Command: ['start', 'dovecot'] 2016-12-09 21:29:29,439 fail2ban.filtersystemd [4080]: DEBUG Read systemd journal entry: u'2016-12-09T21:16:01.423994 xxx.xxx.com dovecot[1513]: doveconf: Warning: NOTE: You can get a new clean config file with: doveconf -n > dovecot-new.conf' 2016-12-09 21:29:29,441 fail2ban.filtersystemd [4080]: DEBUG Read systemd journal entry: u"2016-12-09T21:16:01.424219 xxx.xxx.com dovecot[1513]: doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:1: 'imaps' protocol is no longer necessary, remove it" 2016-12-09 21:29:29,442 fail2ban.jail [4080]: INFO Jail 'dovecot' started 2016-12-09 21:29:29,444 fail2ban.action [4080]: DEBUG ipset create fail2ban-dovecot hash:ip timeout 60000 firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m multiport --dports pop3,pop3s,imap,imaps,submission,465,sieve -m set --match-set fail2ban-dovecot src -j REJECT --reject-with icmp-port-unreachable 2016-12-09 21:29:29,748 fail2ban.action [4080]: DEBUG ipset create fail2ban-dovecot hash:ip timeout 60000 firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m multiport --dports pop3,pop3s,imap,imaps,submission,465,sieve -m set --match-set fail2ban-dovecot src -j REJECT --reject-with icmp-port-unreachable -- stdout: 'success\n' 2016-12-09 21:29:29,749 fail2ban.action [4080]: DEBUG ipset create fail2ban-dovecot hash:ip timeout 60000 firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m multiport --dports pop3,pop3s,imap,imaps,submission,465,sieve -m set --match-set fail2ban-dovecot src -j REJECT --reject-with icmp-port-unreachable -- stderr: '' 2016-12-09 21:29:29,749 fail2ban.action [4080]: DEBUG ipset create fail2ban-dovecot hash:ip timeout 60000 firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m multiport --dports pop3,pop3s,imap,imaps,submission,465,sieve -m set --match-set fail2ban-dovecot src -j REJECT --reject-with icmp-port-unreachable -- returned successfully 

/etc/fail2ban/jail.conf

  [INCLUDES] before = paths-fedora.conf [DEFAULT] ignoreip = 127.0.0.1/8 ignorecommand = bantime = 600 findtime = 600 maxretry = 5 backend = systemd usedns = warn logencoding = auto enabled = false filter = %(__name__)s # # ACTIONS # destemail = root@localhost sender = root@localhost mta = sendmail protocol = tcp chain = INPUT port = 0:65535 fail2ban_agent = Fail2Ban/%(fail2ban_version)s banaction = firewallcmd-ipset banaction_allports = firewallcmd-allports # The simplest action to take: ban only action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] # ban & send an e-mail with whois report to the destemail. action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"] # ban & send an e-mail with whois report and relevant log lines # to the destemail. action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] # See the IMPORTANT note in action.d/xarf-login-attack for when to use this action # # ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines # to the destemail. action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"] # ban IP on CloudFlare & send an e-mail with whois report and relevant log lines # to the destemail. action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"] %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"] action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"] action = %(action_)s # JAILS [dovecot] enabled = true port = pop3,pop3s,imap,imaps,submission,465,sieve filter = dovecot logpath = /var/log/dovecot.log maxretry = 1 findtime = 60000 bantime = 60000 datepattern = %b %d %H:%M:%S backend = %(dovecot_backend)s 

etc / fail2ban / filter.d / dovecot.conf

  etc/fail2ban/filter.d/dovecot.conf # Fail2Ban filter Dovecot authentication and pop3/imap server # [INCLUDES] before = common.conf [Definition] _daemon = (auth|dovecot(-auth)?|auth-worker) failregex =auth-worker\(\S*\): Info: sql\(\S*,<HOST>\): Password mismatch\s*$ auth-worker\(\S*\): Info: sql\(\S*,<HOST>\): unknown user\s*$ ignoreregex = [Init] journalmatch = _SYSTEMD_UNIT=dovecot.service 

/etc/fail2ban/jail.d/00-firewalld.conf

 [DEFAULT] banaction = firewallcmd-ipset 

Pruebas: fail2ban-regex /var/log/dovecot.log /etc/fail2ban/filter.d/dovecot.conf –print-all-match

  Running tests ============= Use failregex filter file : dovecot, basedir: /etc/fail2ban Use log file : /var/log/dovecot.log Use encoding : UTF-8 Results ======= Failregex: 11 total |- #) [# of hits] regular expression | 1) [10] auth-worker\(\S*\): Info: sql\(\S*,<HOST>\): Password mismatch\s*$ | 2) [1] auth-worker\(\S*\): Info: sql\(\S*,<HOST>\): unknown user\s*$ `- Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [24] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)? `- Lines: 24 lines, 0 ignonetworking, 11 matched, 13 missed [processed in 0.01 sec] |- Matched line(s): | Dec 09 13:21:24 auth-worker(30106): Info: sql(user2@test.example.com,192.168.13.107): Password mismatch | Dec 09 13:21:34 auth-worker(30106): Info: sql(user2@test.example.com,192.168.13.107): Password mismatch | Dec 09 14:16:13 auth-worker(31603): Info: sql(user2@test.example.coml,192.168.13.107): unknown user | Dec 09 20:37:39 auth-worker(11941): Info: sql(user2@test.example.com,172.16.2.10): Password mismatch | Dec 09 20:37:47 auth-worker(11941): Info: sql(user2@test.example.com,172.16.2.10): Password mismatch | Dec 09 20:37:53 auth-worker(11941): Info: sql(user2@test.example.com,172.16.2.10): Password mismatch | Dec 09 20:37:56 auth-worker(11941): Info: sql(user2@test.example.com,172.16.2.10): Password mismatch | Dec 09 20:37:59 auth-worker(11941): Info: sql(user2@test.example.com,172.16.2.10): Password mismatch | Dec 09 21:29:57 auth-worker(4141): Info: sql(user2@test.example.com,172.16.2.10): Password mismatch | Dec 09 21:30:04 auth-worker(4141): Info: sql(user2@test.example.com,172.16.2.10): Password mismatch | Dec 09 21:30:11 auth-worker(4141): Info: sql(user2@test.example.com,172.16.2.10): Password mismatch `- |- Missed line(s): | Dec 09 14:16:19 auth-worker(31603): Info: sql(user2@test.example.coml,192.168.13.107): unknown userDec 09 20:37:06 config: Warning: NOTE: You can get a new clean config file with: doveconf -n > dovecot-new.conf | Dec 09 20:37:06 config: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:1: 'imaps' protocol is no longer necessary, remove it | Dec 09 20:37:09 imap-login: Info: Login: user=<user2@test.example.com>, method=PLAIN, rip=172.16.2.10, lip=10.8.8.59, mpid=11944, TLS, session=<nQg+4T5DvQCsEAIK> | Dec 09 20:37:09 imap(user2@test.example.com): Info: Disconnected: Disconnected in IDLE in=11 out=366 | Dec 09 20:38:41 imap-login: Info: Disconnected (auth failed, 5 attempts in 62 secs): user=<user2@test.example.com>, method=PLAIN, rip=172.16.2.10, lip=10.8.8.59, TLS: Disconnected, session=<4akO4z5DxACsEAIK> | Dec 09 21:15:26 anvil: Warning: Killed with signal 15 (by pid=1 uid=0 code=kill) | Dec 09 21:15:26 log: Warning: Killed with signal 15 (by pid=1 uid=0 code=kill) | Dec 09 21:15:26 master: Warning: Killed with signal 15 (by pid=1 uid=0 code=kill) | Dec 09 21:16:01 master: Info: Dovecot v2.2.10 starting up for imap, lmtp (core dumps disabled) | Dec 09 21:29:41 imap-login: Info: Login: user=<user2@test.example.com>, method=PLAIN, rip=172.16.2.10, lip=10.8.8.59, mpid=4144, TLS, session=<ehkWnT9DVQCsEAIK> | Dec 09 21:29:42 imap-login: Info: Login: user=<user2@test.example.com>, method=PLAIN, rip=172.16.2.10, lip=10.8.8.59, mpid=4145, TLS, session=<59krnT9DVACsEAIK> | Dec 09 21:30:21 imap(user2@test.example.com): Info: Disconnected: Logged out in=1716 out=12112 | Dec 09 21:32:48 imap-login: Info: Disconnected (auth failed, 3 attempts in 171 secs): user=<user2@test.example.com>, method=PLAIN, rip=172.16.2.10, lip=10.8.8.59, TLS: Disconnected, session=<QIYQnj9DVwCsEAIK> 

dovecot.log

 Dec 09 13:21:24 auth-worker(30106): Info: sql(user2@test.example.com,192.168.13.107): Password mismatch Dec 09 13:21:34 auth-worker(30106): Info: sql(user2@test.example.com,192.168.13.107): Password mismatch Dec 09 14:16:13 auth-worker(31603): Info: sql(user@test.example.com,192.168.13.107): unknown user 

One Solution collect form web for “Fail2ban no está prohibiendo IP”

Ok, todo está funcionando, después de cambiar una línea en el file: /etc/fail2ban/jail.conf en la sección [dovecot]:

backend =% (dovecot_backend) s para backend = agrupación

  • Fail2ban con nftables e IPv6
  • ¿Por qué iptables no bloquea una dirección IP? (Versión LB / proxy)
  • Prohibición de direcciones IPv6
  • ¿Necesitamos PSAD si ya tenemos Fail2Ban?
  • fail2ban no bloquea desde auth.log con directadmin
  • Fail2ban exception crítica - no bloquea ips
  • Fail2Ban regex en sshd.conf no captura los logins root fallidos en /var/log/auth.log
  • ¿Por qué no fall2ban los fallos de locking?
  • Los puertos de Debian no responden
  • ¿Cómo puedo actualizar Fail2Ban en Ubuntu 12.04.5 LTS para get el filter "recidive" instalado?
  • error fail2ban sobre python?
  • El linux y los temas del servidor de Windows, como ubuntu, centos, apache, nginx, debian y consejos de red.