ClearOS Bug Tracker

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0022541ClearOSapp-imap - IMAP and POP Serverpublic2018-12-10 14:352019-02-01 12:31
Assigned ToNickH 
PlatformOSOS Version
Product Version7.5.0 Updates 
Target Version7.5.0 UpdatesFixed in Version7.5.0 Updates 
Summary0022541: filter for cyrus-imap jail does not work
DescriptionThe default filter for the cyrus-imap jail in /etc/fail2ban/filter.d/cyrus-imap.conf does not work on our logs. The filter is:
failregex = ^%(__prefix_line)sbadlogin: \S+ ?\[<HOST>\] \S+ .*?\[?SASL\(-13\): (authentication failure|user not found): .*\]?$

Typical failure lines are POP failed logins are:
Dec 7 15:39:29 mail pop3[21087]: badlogin: [] plaintext champagne SASL(-13): authentication failure: checkpass failed
Dec 7 15:39:29 mail pop3[21089]: badlogin: [] plaintext harold SASL(-13): authentication failure: checkpass failed
Dec 7 15:39:29 mail pop3[21090]: badlogin: [] plaintext crystal SASL(-13): authentication failure: checkpass failed
Dec 7 15:39:29 mail pop3[21088]: badlogin: [] plaintext bob SASL(-13): authentication failure: checkpass failed

These do not get detected.

If the filter is changed to:
failregex = ^%(__prefix_line)sbadlogin: .*\[<HOST>\] \S+ .*?\[?SASL\(-13\): (authentication failure|user not found): .*\]?$

the lines are then detects. The problem is the first \S (non-whitespace character) where our logs only have a space between "badlogin:" and the IP address. If you change the \S for a ".*", everything that would have been picked up by the first filter still gets picked up, and our log failures get detected.

There seem to be three approaches to fix this:
1 - get upstream to fix (good luck)
2 - add an /etc/fail2ban/filter.d/cyrus-imap.local with a modified filter. This is what I do (and have done for a couple of years)
3 - add a filter to /etc/fail2ban/jail.d/clearos-cyrus-imap.conf. I don't know if this will work, but I think it will. I think it takes precedence over /etc/fail2ban/filter.d/cyrus-imap.conf but defers to /etc/fail2ban/filter.d/cyrus-imap.local which should be under the user's control. This needs testing, but would be the ideal route as ClearOS can override upstream and the user can still override ClearOS.
TagsNo tags attached.
Attached Files

- Relationships

-  Notes
NickH (developer)
2018-12-11 04:37

I have subsequently determined that the issue could also be fixed by pushing fail2ban-server-0.9.7-1.el7.noarch through from epel-unverified.

In that case my patch to app-imap can be backed out.
NickH (developer)
2018-12-14 12:37

Now fixed as app-imap-2.5.8 in updates testing.
Also needs fail2ban-server-0.9.7 from epel unverified
NickH (developer)
2019-02-01 12:31

Resolved by releasing fail2ban-server-0.9.7 from ELEP

- Issue History
Date Modified Username Field Change
2018-12-10 14:35 NickH New Issue
2018-12-11 02:38 NickH Category app-attack-detector - Attack Detector => app-imap - IMAP and POP Server
2018-12-11 04:37 NickH Note Added: 0008691
2018-12-14 12:36 dloper Target Version => 7.5.0 Updates
2018-12-14 12:37 NickH Note Added: 0008721
2019-02-01 12:31 NickH Note Added: 0008791
2019-02-01 12:31 NickH Status new => resolved
2019-02-01 12:31 NickH Fixed in Version => 7.5.0 Updates
2019-02-01 12:31 NickH Resolution open => fixed
2019-02-01 12:31 NickH Assigned To => NickH