For dovecot 2.1 as per wiki2, is this still valid? noticed a problem before and saw it does seem to be triggering, I use: maxretry = 6 findtime = 600 bantime = 3600 and there was like, 2400 hits in 4 minutes, it is pointing to the correct log file, but I am no expert with fail2ban, so not sure if the log format of today is compatible with the wiki2 entry filter.d/dovecot.conf [Definition] failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.* ignoreregex =
On 04/10/2013 1:47 AM, Nick Edwards wrote:> For dovecot 2.1 > > as per wiki2, is this still valid? noticed a problem before and saw > it does seem to be triggering, I use: > > maxretry = 6 > findtime = 600 > bantime = 3600 > > and there was like, 2400 hits in 4 minutes, it is pointing to the > correct log file, but I am no expert with fail2ban, so not sure if the > log format of today is compatible with the wiki2 entry >Test the filter with fail2ban-regex. fail2ban-regex --help
Hi, On 10/04/2013 07:47 AM, Nick Edwards wrote:> For dovecot 2.1 > > as per wiki2, is this still valid? noticed a problem before and saw > it does seem to be triggering, I use: > > maxretry = 6 > findtime = 600 > bantime = 3600 > > and there was like, 2400 hits in 4 minutes, it is pointing to the > correct log file, but I am no expert with fail2ban, so not sure if the > log format of today is compatible with the wiki2 entry > > > filter.d/dovecot.conf > [Definition] > failregex = (?: pop3-login|imap-login): (?:Authentication > failure|Aborted login \(auth failed|Aborted login \(tried to use > disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.* > ignoreregex >this is no problem of dovecot. Nevertheless, for analysis, you can use fail2ban-regex when applying your filter to your logfile. Best regards, Gordon -- Universit?tsrechenzentrum (URZ) E.-M.-Arndt-Universit?t Greifswald Felix-Hausdorff-Str. 12 17489 Greifswald Germany Tel. +49 3834 86 1456 Fax. +49 3834 86 1401 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4982 bytes Desc: S/MIME Cryptographic Signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20131004/89c4e4e8/attachment.bin>
On Fri, 2013-10-04 at 15:47 +1000, Nick Edwards wrote:> For dovecot 2.1 > > as per wiki2, is this still valid? noticed a problem before and saw > it does seem to be triggering, I use: >looks out dated> filter.d/dovecot.confThat'll never work, you need to change> [Definition] > failregex = (?: pop3-login|imap-login): (?:Authenticationto failregex = (?: pop3-login|imap-login): .*(?:Authentication ^^ BUT, then, with the rest of your regex, it will only partly match because its looking for ", something" like " ,TLS" at the end which wont appear on failed imap/pop3 logins that dont use TLS, etc, so any failed attempts using TLs, will be found, if they are not using it, they will be missed (most miscreants likely wont be using it anyway) I am NO python expert, in fact, I know less than less about python, so you'll best need to wait for someone who knows the answer, or ask on fail2ban list, on how you can change that to match both, by changing the last bit to \(auth failed).*rip=(?P<host>\S*) <some variable here to match on ,TLS or nothing at all> in meantime, you could repeat your failregex, like failregex = (?: pop3-login|imap-login): .*(?:Authentication failure| Aborted login \(auth failed|Aborted login \(tried to use disabled| Disconnected \(auth failed).*rip=(?P<host>\S*),.* (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*) I think thats horrible, messy, yukky, but it likely might work :) at least until you find a better answer, there are some fail2ban fanbois on this list, but as its the weekend, you may need to be patient. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 490 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20131005/d34b1689/attachment.bin>
On 04/10/2013 1:47 AM, Nick Edwards wrote:> filter.d/dovecot.conf > [Definition] > failregex = (?: pop3-login|imap-login): (?:Authentication > failure|Aborted login \(auth failed|Aborted login \(tried to use > disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.* > ignoreregexThe following is included with fail2ban 0.8.10 filters.d/dovecot.conf # Fail2Ban configuration file for dovcot # # Author: Martin Waschbuesch # # [Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # failregex = .*(?:pop3-login|imap-login):.*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*\s+rip=(?P<host>\S*),.* pam.*dovecot.*(?:authentication failure).*\s+rhost=<HOST>(?:\s+user=.*)?\s*$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =