Ubuntu
fail2ban package

Dovecot fail2ban jail uses wrong log file - auth.log should be used

Bug #2041826 reported by Mantas Kriaučiūnas
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
fail2ban (Debian)
New
Unknown
fail2ban (Ubuntu)
New
Undecided
Unassigned

Bug Description

activating the dovecot jail I didn't see any failed filters and bans, while my /var/log/auth.log is full of failed attempts to login:

Oct 30 06:37:43 mail auth: pam_unix(dovecot:auth): check pass; user unknown
Oct 30 06:37:43 mail auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=abuse rhost=124.65.227.154
Oct 30 11:30:24 mail auth: pam_unix(dovecot:auth): check pass; user unknown
Oct 30 11:30:24 mail auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot <email address hidden> rhost=124.65.227.154
Oct 30 12:14:11 mail auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=sales rhost=186.96.97.20

Problem is in incorrect fail2ban config for Ubuntu/Debian - the auth failed messages of dovecot are going into auth.log and not into mail.warn or mail.log, thus fail2ban does not find any hits.

Calling fail2ban-regexp /var/log/auth.log /etc/fail2ban/filter.d/dovecot.conf gives several hits.

Issue is solved by adding one line to /etc/fail2ban/paths-debian.conf

dovecot_log = %(syslog_authpriv)s

Issue exists in Ubuntu 22.04, 20.04 and 18.04 LTS , didn't checked with latest 23.10 as I use only LTS on servers.

Bug Watch Updater (bug-watch-updater)
Changed in fail2ban (Debian):
status: Unknown → New
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.