So yesterday, I thought I was all good on Fail2Ban today’s logcheck emails show there were still problems with Dovecot.
|
1 2 3 4 5 6 7 8 |
May 2 12:12:07 village auth: pam_unix(dovecot:auth): check pass; user unknown May 2 12:12:07 village auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=internet rhost=201.249.206.34 May 2 12:12:07 village auth: pam_unix(dovecot:auth): check pass; user unknown 2015-05-02 12:07:04,643 fail2ban.filter [3798]: INFO [dovecot] Found 201.249.206.34 2015-05-02 12:07:04,804 fail2ban.actions [3798]: NOTICE [dovecot] 201.249.206.34 already banned 2015-05-02 12:12:07,168 fail2ban.filter [3798]: INFO [dovecot] Found 201.249.206.34 2015-05-02 12:12:07,173 fail2ban.actions [3798]: NOTICE [dovecot] 201.249.206.34 already banned |
But looking at the block chain, I see traffic going in to the chain and come back out without hitting the filters…
|
1 2 3 4 5 6 7 8 |
root@village:~# iptables -L f2b-dovecot -n -v Chain f2b-dovecot (1 references) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 46.183.220.157 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT all -- * * 201.249.206.34 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT all -- * * 190.107.244.151 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT all -- * * 177.129.90.37 0.0.0.0/0 reject-with icmp-port-unreachable 771 57719 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 |
Ok so what the frack is going on. I know things are set right, or I should say “I think things are set right”. Then it hit me. These are login attacks on port 25, not on port a normal Dovecot port. I already solved this… But I wanted confirmation first. So TCPDUMP on the most recent IP address in the /var/log/fail2ban.log
|
1 2 3 4 5 6 |
root@village:~# tcpdump -nnvvS host 201.249.206.34 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 14:07:04.442035 IP (tos 0x0, ttl 64, id 32492, offset 0, flags [DF], proto TCP (6), length 94) 66.228.43.117.<span style="color: #ff0000;"><strong>25</strong></span> > 201.249.206.34.64660: Flags [P.], cksum 0x06c6 (incorrect -> 0x6fd7), seq 3700862588:3700862642, ack 3489239823, win 29200, length 54 14:07:04.636729 IP (tos 0x0, ttl 115, id 23593, offset 0, flags [DF], proto TCP (6), length 40) 201.249.206.34.64660 > 66.228.43.117.<strong><span style="color: #ff0000;">25</span></strong>: Flags [R.], cksum 0xbe5a (correct), seq 3489239823, ack 3700862642, win 0, length 0 |
Yep there it is. It’s on port 25.
I looked at turning on the Postfix filters in Fail2Ban, but those are looking for From errors, not auth errors. So I added port 25 (SMTP) and 465 (SSMTP) to my dovecot filter. Here is what that looks like now in server-defaults.conf
|
1 2 3 4 |
[dovecot] enabled = true port = smtp,ssmtp,pop3,pop3s,imap,imaps,submission,465,sieve logpath = /var/log/auth.log |
And look it’s working
|
1 2 3 4 5 6 7 8 |
root@village:~# iptables -L f2b-dovecot -n -v Chain f2b-dovecot (1 references) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 46.183.220.157 0.0.0.0/0 reject-with icmp-port-unreachable 2 96 REJECT all -- * * 201.249.206.34 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT all -- * * 190.107.244.151 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT all -- * * 177.129.90.37 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 |
Hopefully now I can get back to blogging about my Home Lab.