Dovecot fail2ban jail uses wrong log file - auth.log should be used
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
fail2ban (Debian) |
New
|
Unknown
|
|||
fail2ban (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
activating the dovecot jail I didn't see any failed filters and bans, while my /var/log/auth.log is full of failed attempts to login:
Oct 30 06:37:43 mail auth: pam_unix(
Oct 30 06:37:43 mail auth: pam_unix(
Oct 30 11:30:24 mail auth: pam_unix(
Oct 30 11:30:24 mail auth: pam_unix(
Oct 30 12:14:11 mail auth: pam_unix(
Problem is in incorrect fail2ban config for Ubuntu/Debian - the auth failed messages of dovecot are going into auth.log and not into mail.warn or mail.log, thus fail2ban does not find any hits.
Calling fail2ban-regexp /var/log/auth.log /etc/fail2ban/
Issue is solved by adding one line to /etc/fail2ban/
dovecot_log = %(syslog_authpriv)s
Issue exists in Ubuntu 22.04, 20.04 and 18.04 LTS , didn't checked with latest 23.10 as I use only LTS on servers.
Changed in fail2ban (Debian): | |
status: | Unknown → New |