I have turned on 'auth_debug_passwords=yes? in dovecot.conf.
I?m trying to get Fail2ban to detect this log line:
Sep 11 15:52:49 mail dovecot[54239]: auth-worker(10094): sql(user at
bordo.com.au <mailto:user at
bordo.com.au>,::1,<L2xqieNYeM4AAAAAAAAAAAAAAAAAAAAB>): Password
mismatch (given password: 2)
I?ve added it as the last line of my dovecot filter regex:
failregex =
^%(__prefix_line)s(%(__pam_auth)s(\(dovecot:auth\))?:)?\s+authentication
failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S*
rhost=<HOST>(\s+user=\S*)?\s*$
^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted
login|Disconnected)(: Inactivity)? \(((auth failed, \d+ attempts)( in \d+
secs)?|tried to use (disabled|disallo$
^%(__prefix_line)s(Info|dovecot:
auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\):
pam_authenticate\(\) failed: (User not known to the underlying authentication$
^%(__prefix_line)s(auth|auth-worker\(\d+\)):
(pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$
^%(__prefix_line)s(auth|auth-worker\(\d+\)): Info:
ldap\(\S*,<HOST>,\S*\): invalid credentials\s*$
^%(__prefix_line)sauth: Info: sql\(\S+,<HOST>\): (Password
mismatch|unknown user)( \((SHA1 of given password: [0-9a-f]{5,40}|given
password: \w*)\))?$
Have spent ages googling and trying different variations.
Does anyone have a fail2ban regex that would work on the above Dovecot log line?
(Running latest versions of Dovecot and fail2ban)
Many thanks,
James.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 8517 bytes
Desc: not available
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20170911/02873db5/attachment.bin>
On 2017-09-11 08:57, James Brown wrote:> I have turned on 'auth_debug_passwords=yes? in dovecot.conf. > > I?m trying to get Fail2ban to detect this log line: > > Sep 11 15:52:49 mail dovecot[54239]: auth-worker(10094): > sql(user at bordo.com.au > <mailto:user at bordo.com.au>,::1,<L2xqieNYeM4AAAAAAAAAAAAAAAAAAAAB>): > Password mismatch (given password: 2) > > I?ve added it as the last line of my dovecot filter regex: > > failregex > ^%(__prefix_line)s(%(__pam_auth)s(\(dovecot:auth\))?:)?\s+authentication > failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* > rhost=<HOST>(\s+user=\S*)?\s*$ > ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted > login|Disconnected)(: Inactivity)? \(((auth failed, \d+ attempts)( in > \d+ secs)?|tried to use (disabled|disallo$ > ^%(__prefix_line)s(Info|dovecot: > auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\): > pam_authenticate\(\) failed: (User not known to the underlying > authentication$ > ^%(__prefix_line)s(auth|auth-worker\(\d+\)): > (pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$ > ^%(__prefix_line)s(auth|auth-worker\(\d+\)): Info: > ldap\(\S*,<HOST>,\S*\): invalid credentials\s*$ > ^%(__prefix_line)sauth: Info: sql\(\S+,<HOST>\): (Password > mismatch|unknown user)( \((SHA1 of given password: [0-9a-f]{5,40}|given > password: \w*)\))?$^%(__prefix_line)sauth: Info: sql\(\S+,<HOST>,\<\S+\>\): (Password mismatch|unknown user)( \((SHA1 of given password: [0-9a-f]{5,40}|given password: \w*)\))?$ ^^^^^^^ You are missing the ID after the host part.> > Have spent ages googling and trying different variations. > > Does anyone have a fail2ban regex that would work on the above Dovecot > log line? > > (Running latest versions of Dovecot and fail2ban) > > Many thanks, > > James.-- Christian Kivalo
> On 11 Sep 2017, at 5:10 pm, Christian Kivalo <ml+dovecot at valo.at> wrote: > > On 2017-09-11 08:57, James Brown wrote: >> I have turned on 'auth_debug_passwords=yes? in dovecot.conf. >> I?m trying to get Fail2ban to detect this log line: >> Sep 11 15:52:49 mail dovecot[54239]: auth-worker(10094): sql(user at bordo.com.au <mailto:user at bordo.com.au>,::1,<L2xqieNYeM4AAAAAAAAAAAAAAAAAAAAB>): Password mismatch (given password: 2) >> I?ve added it as the last line of my dovecot filter regex: >> failregex >> ^%(__prefix_line)s(%(__pam_auth)s(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$ >> ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallo$ >> ^%(__prefix_line)s(Info|dovecot: auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication$ >> ^%(__prefix_line)s(auth|auth-worker\(\d+\)): (pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$ >> ^%(__prefix_line)s(auth|auth-worker\(\d+\)): Info: ldap\(\S*,<HOST>,\S*\): invalid credentials\s*$ >> ^%(__prefix_line)sauth: Info: sql\(\S+,<HOST>\): (Password mismatch|unknown user)( \((SHA1 of given password: [0-9a-f]{5,40}|given password: \w*)\))?$ > ^%(__prefix_line)sauth: Info: sql\(\S+,<HOST>,\<\S+\>\): (Password mismatch|unknown user)( \((SHA1 of given password: [0-9a-f]{5,40}|given password: \w*)\))?$ > ^^^^^^^ > You are missing the ID after the host part. > -- > Christian Kivalo >Many thanks Christian. Added that, but it still doesn?t match: $ fail2ban-regex "Sep 11 15:52:49 mail dovecot[54239]: auth-worker(10094): sql(user at bordo.com.au,::1,<L2xqieNYeM4AAAAAAAAAAAAAAAAAAAAB>): Password mismatch (given password: 2)" "^%(__prefix_line)sauth: Info: sql\(\S+,<HOST>,\<\S+\>\): (Password mismatch|unknown user)( \((SHA1 of given password: [0-9a-f]{5,40}|given password: \w*)\))?$" Running tests ============ Use failregex line : ^%(__prefix_line)sauth: Info: sql\(\S+,<HOST>,\<\S... Use single line : Sep 11 15:52:49 mail dovecot[54239]: auth-worker(1... Results ====== Failregex: 0 total Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [1] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)? `- Lines: 1 lines, 0 ignored, 0 matched, 1 missed [processed in 0.00 sec] |- Missed line(s): | Sep 11 15:52:49 mail dovecot[54239]: auth-worker(10094): sql(user at bordo.com.au,::1,<L2xqieNYeM4AAAAAAAAAAAAAAAAAAAAB>): Password mismatch (given password: 2) `- Any other suggestions? Thanks, James. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 8517 bytes Desc: not available URL: <https://dovecot.org/pipermail/dovecot/attachments/20170911/95763f45/attachment.bin>