Brute forces on Exim Fail2Ban

[timmerdanny]

Hello DirectAdmin lovers,

I am trying to fight to Brute Forces with Fail2Ban. Proftpd is with Fail2ban is working very well! However my Fail2ban for exim is not working very well I still recieve messages of failed logins from DA. When I try with my Outlook and do some wrong passwords I get blocked after five attempts, but some IP's manage to get around Fail2ban.

Here is my Fail2Ban configuration

[exim]
enabled = true
port = smtp, 465,submission
logpath = /var/log/exim/mainlog
maxretry = 5
findtime = 3600
bantime = 86400

Here are the logs of my attempting to login with wrong credentials with Outlook (after 5 times I get blocked):

2016-01-20 11:03:55 login authenticator failed for 095-097-248-097.static.chello.nl (DanteckNLPC) [95.97.248.97]: 535 Incorrect authentication data ([email protected])
2016-01-20 11:03:55 login authenticator failed for 095-097-248-097.static.chello.nl (DanteckNLPC) [95.97.248.97]: 535 Incorrect authentication data ([email protected])
2016-01-20 11:03:55 login authenticator failed for 095-097-248-097.static.chello.nl (DanteckNLPC) [95.97.248.97]: 535 Incorrect authentication data ([email protected])
2016-01-20 11:03:54 login authenticator failed for 095-097-248-097.static.chello.nl (DanteckNLPC) [95.97.248.97]: 535 Incorrect authentication data ([email protected])
2016-01-20 11:03:54 login authenticator failed for 095-097-248-097.static.chello.nl (DanteckNLPC) [95.97.248.97]: 535 Incorrect authentication data ([email protected])

Here are some logs of IP's that bypass the Fail2Ban for some reason:

2016-01-17 21:10:44 login authenticator failed for (User) [185.130.5.240]: 535 Incorrect authentication data ([email protected])
2016-01-17 21:31:08 login authenticator failed for (User) [185.130.5.240]: 535 Incorrect authentication data ([email protected])
2016-01-17 22:09:37 login authenticator failed for (User) [185.130.5.240]: 535 Incorrect authentication data ([email protected])
2016-01-17 22:13:35 login authenticator failed for (User) [185.130.5.240]: 535 Incorrect authentication data ([email protected])
2016-01-17 22:33:58 login authenticator failed for (User) [185.130.5.240]: 535 Incorrect authentication data ([email protected])
2016-01-17 22:56:59 login authenticator failed for (User) [185.130.5.240]: 535 Incorrect authentication data ([email protected])
2016-01-17 23:12:34 login authenticator failed for (User) [185.130.5.240]: 535 Incorrect authentication data ([email protected])
2016-01-17 23:37:07 login authenticator failed for (User) [185.130.5.240]: 535 Incorrect authentication data ([email protected])
2016-01-18 00:15:42 login authenticator failed for (User) [185.130.5.240]: 535 Incorrect authentication data ([email protected])
2016-01-18 00:40:08 login authenticator failed for (User) [185.130.5.240]: 535 Incorrect authentication data ([email protected])
2016-01-18 01:03:12 login authenticator failed for (User) [185.130.5.240]: 535 Incorrect authentication data ([email protected])
2016-01-18 01:18:45 login authenticator failed for (User) [185.130.5.240]: 535 Incorrect authentication data ([email protected])
2016-01-18 01:22:48 login authenticator failed for (User) [185.130.5.240]: 535 Incorrect authentication data ([email protected])
2016-01-18 02:06:07 login authenticator failed for (User) [185.130.5.240]: 535 Incorrect authentication data ([email protected])
2016-01-18 02:21:50 login authenticator failed for (User) [185.130.5.240]: 535 Incorrect authentication data ([email protected])

 

[LawsHosting]

Make sure the filter has

\[<HOST>\]: 535 Incorrect authentication data

 

[sjaakfaal]

Hi,

Please review my configuration:

[exim]

enabled = true
filter = exim
failregex = \[<HOST>\]: 535 Incorrect authentication data
action = iptables-multiport[name=exim,port="25,465,587"]
logpath = /var/log/exim/mainlog

SSH seems to be working:

Hi,

The IP 61.132.161.130 has just been banned by Fail2Ban after
5 attempts against SSH.


Here is more information about 61.132.161.130 :

missing whois program

Regards,

Fail2Ban

 

[toml]

Fail2Ban looks for x number of wrong logins within the findtime (setting in jail.conf). If you look at log file you will see that they are all spaced out so that no more than 2 tries were within 5 minutes of each other.

 

[sjaakfaal]

The second quote is an e-mail about SSH ban.

The image shows exim failed logins. Copy/paste:

IP 195.22.126.189 has 1154 failed login attempts: exim2=1154

 

[toml]

I noticed on an older version of fail2ban I was using, exim for DA never worked correctly. Using a more recent version of fail2ban (0.9.1) my exim logs were being scanned and blocked properly. What version are you currently using?

 

[Richard G]

I had some fail2ban issue's before too and changed to CSF/LFD which can also do a lot more then fail2ban.
Maybe it worth considering to have a look at it?

 

[sjaakfaal]

I'm using Fail2Ban v0.9.3