dovecot - Sep 2017 - Fail2ban 'Password mismatch' regex

> On 11 Sep 2017, at 5:10 pm, Christian Kivalo <ml+dovecot at valo.at>
wrote:
> 
> On 2017-09-11 08:57, James Brown wrote:
>> I have turned on 'auth_debug_passwords=yes? in dovecot.conf.
>> I?m trying to get Fail2ban to detect this log line:
>> Sep 11 15:52:49 mail dovecot[54239]: auth-worker(10094): sql(user at
bordo.com.au <mailto:user at
bordo.com.au>,::1,<L2xqieNYeM4AAAAAAAAAAAAAAAAAAAAB>): Password
mismatch (given password: 2)
>> I?ve added it as the last line of my dovecot filter regex:
>> failregex >>
^%(__prefix_line)s(%(__pam_auth)s(\(dovecot:auth\))?:)?\s+authentication
failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S*
rhost=<HOST>(\s+user=\S*)?\s*$
>>            ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted
login|Disconnected)(: Inactivity)? \(((auth failed, \d+ attempts)( in \d+
secs)?|tried to use (disabled|disallo$
>>            ^%(__prefix_line)s(Info|dovecot:
auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\):
pam_authenticate\(\) failed: (User not known to the underlying authentication$
>>            ^%(__prefix_line)s(auth|auth-worker\(\d+\)):
(pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$
>>            ^%(__prefix_line)s(auth|auth-worker\(\d+\)): Info:
ldap\(\S*,<HOST>,\S*\): invalid credentials\s*$
>>            ^%(__prefix_line)sauth: Info: sql\(\S+,<HOST>\):
(Password mismatch|unknown user)( \((SHA1 of given password:
[0-9a-f]{5,40}|given password: \w*)\))?$
>              ^%(__prefix_line)sauth: Info:
sql\(\S+,<HOST>,\<\S+\>\): (Password mismatch|unknown user)( \((SHA1
of given password: [0-9a-f]{5,40}|given password: \w*)\))?$
>                                                            ^^^^^^^
> You are missing the ID after the host part.
> -- 
> Christian Kivalo
> 
Many thanks Christian.

Added that, but it still doesn?t match:

$ fail2ban-regex "Sep 11 15:52:49 mail dovecot[54239]: auth-worker(10094):
sql(user at bordo.com.au,::1,<L2xqieNYeM4AAAAAAAAAAAAAAAAAAAAB>): Password
mismatch (given password: 2)" "^%(__prefix_line)sauth: Info:
sql\(\S+,<HOST>,\<\S+\>\): (Password mismatch|unknown user)( \((SHA1
of given password: [0-9a-f]{5,40}|given password: \w*)\))?$"

Running tests
============
Use   failregex line : ^%(__prefix_line)sauth: Info:
sql\(\S+,<HOST>,\<\S...
Use      single line : Sep 11 15:52:49 mail dovecot[54239]: auth-worker(1...


Results
======
Failregex: 0 total

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [1] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
`-

Lines: 1 lines, 0 ignored, 0 matched, 1 missed
[processed in 0.00 sec]

|- Missed line(s):
|  Sep 11 15:52:49 mail dovecot[54239]: auth-worker(10094): sql(user at
bordo.com.au,::1,<L2xqieNYeM4AAAAAAAAAAAAAAAAAAAAB>): Password mismatch
(given password: 2)
`-

Any other suggestions?

Thanks,

James.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 8517 bytes
Desc: not available
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20170911/95763f45/attachment.bin>

> Many thanks Christian.
> 
> Added that, but it still doesn?t match:
> 
> $ fail2ban-regex "Sep 11 15:52:49 mail dovecot[54239]: 
> auth-worker(10094): 
> sql(user at bordo.com.au,::1,L2xqieNYeM4AAAAAAAAAAAAAAAAAAAAB>):
Password
> mismatch (given password: 2)"
> "^%(__prefix_line)sauth: Info: sql\(\S+,<HOST>,\<\S+\>\):
(Password
> mismatch|unknown user)( \((SHA1 of given password: [0-9a-f]{5,40}|given 
> password: \w*)\))?$"
Your log has "auth-worker(10094): sql" whereas the fail2ban regex has 
")sauth: Info: sql\(\". When you change that to ")sauth-worker:
sql\(\"
does it work then?

Try to reduce the regex to a working minimum and then add parts back 
until it breaks...

[...]
> 
> Any other suggestions?
> 
> Thanks,
> 
> James.
-- 
  Christian Kivalo

> On 11 Sep 2017, at 5:38 pm, Christian Kivalo <ml+dovecot at valo.at>
wrote:
> 
>> Many thanks Christian.
>> Added that, but it still doesn?t match:
>> $ fail2ban-regex "Sep 11 15:52:49 mail dovecot[54239]:
auth-worker(10094): sql(user at
bordo.com.au,::1,L2xqieNYeM4AAAAAAAAAAAAAAAAAAAAB>): Password mismatch (given
password: 2)"
>> "^%(__prefix_line)sauth: Info:
sql\(\S+,<HOST>,\<\S+\>\): (Password mismatch|unknown user)( \((SHA1
of given password: [0-9a-f]{5,40}|given password: \w*)\))?$"
> Your log has "auth-worker(10094): sql" whereas the fail2ban regex
has ")sauth: Info: sql\(\". When you change that to
")sauth-worker: sql\(\" does it work then?
> 
> Try to reduce the regex to a working minimum and then add parts back until
it breaks?

Thanks Christian.

That didn?t work either:

$ fail2ban-regex "Sep 11 15:52:49 mail dovecot[54239]: auth-worker(10094):
sql(user at bordo.com.au,::1,<L2xqieNYeM4AAAAAAAAAAAAAAAAAAAAB>): Password
mismatch (given password: 2)" "^%(__prefix_line)sauth-worker:
sql\(\S+,<HOST>,\<\S+\>\): (Password mismatch|unknown user)( \((SHA1
of given password: [0-9a-f]{5,40}|given password: \w*)\))?$"

Running tests
============
Use   failregex line : ^%(__prefix_line)sauth-worker:
sql\(\S+,<HOST>,\<\...
Use      single line : Sep 11 15:52:49 mail dovecot[54239]: auth-worker(1...


Results
======
Failregex: 0 total


Should there be something after ?sauth-worker? for the ?(10094)??

Will keep trying deleting stuff till it works.

Thanks,

James.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 8517 bytes
Desc: not available
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20170911/21d4207f/attachment.bin>