Displaying 20 results from an estimated 50 matches for "failregex".
2009 May 11
4
Fail2Ban and the Dovecot log
Hi,
Is there any way to disable the "dovecot: " at the beginning of each
line of the log? Fail2Ban responds poorly to it. I know there are a
number of sites with "failregex" strings for Fail2Ban and Dovecot, but
I've tried them all, and they don't work, at least with the latest
Fail2ban and the latest Dovecot. The Fail2Ban wiki is pretty clear
about why there will be a problem:
"In order for a log line to match your failregex, it actually has to...
2009 Mar 14
3
Account lockout option?
I'm currently using postfix and dovecot, with dovecot authentication
(with saslauthd) using mysql for accounts
Is there any option available for me to help inhibit/prevent
brute-force login attempts?
Thx.
Rick
Rick Steeves
http://www.sinister.net
"The journey is the destination"
2013 Oct 04
4
fail2ban
...to be triggering, I use:
maxretry = 6
findtime = 600
bantime = 3600
and there was like, 2400 hits in 4 minutes, it is pointing to the
correct log file, but I am no expert with fail2ban, so not sure if the
log format of today is compatible with the wiki2 entry
filter.d/dovecot.conf
[Definition]
failregex = (?: pop3-login|imap-login): (?:Authentication
failure|Aborted login \(auth failed|Aborted login \(tried to use
disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
ignoreregex =
2011 Aug 09
3
fail2ban help
...us-imapd.
In jail.conf I use the following syntax:
[sasl-iptables]
enabled = true
filter = sasl
backend = polling
action = iptables[name=sasl, port=smtp, protocol=tcp]
sendmail-whois[name=sasl, dest=my at email]
logpath = /var/log/maillog
maxretry = 6
and the following filter:
failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL
(?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:
[A-Za-z0-9+/]*={0,2})?$
in iptables:
fail2ban-sasl tcp -- anywhere anywhere tcp
dpt:smtp
...
Chain fail2ban-sasl (2 references)
target prot opt source...
2020 May 22
3
fail2ban setup centos 7 not picking auth fail?
...ot issue. Can you please post the output of this command?
> /usr/bin/fail2ban-regex /var/log/dovecot.log
> /etc/fail2ban/filter.d/dovecot.conf
Adi,
thanks, what I get is:
# /usr/bin/fail2ban-regex /var/log/dovecot.log
/etc/fail2ban/filter.d/dovecot.conf
Running tests
=============
Use failregex filter file : dovecot, basedir: /etc/fail2ban
Use datepattern : Default Detectors
Use log file : /var/log/dovecot.log
Use encoding : UTF-8
Results
=======
Failregex: 5149 total
|- #) [# of hits] regular expression
| 2) [5149]
^(?:\[\])?\s*(?:<[^.]+\.[^.]+>\s+)?(?:\S...
2017 Jul 20
3
under some kind of attack
...ke to
block anyone using those passwords.
(since the connections are over TLS/SSL, I cannot use iptables, as
suggested earlier)
So I need a specific fail2ban rule that extracts the <IP> from that
line, and matches on "(given password: password)"
Can anyone here help out with a failregex line that would match..?
2008 Jul 23
1
[Fwd: Re: fail2ban needs shorewall?]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I've used denyhosts.
If you do have an issue with fail2ban, it does pretty much the same thing.
Andy
- -------- Original Message --------
Subject: Re: [CentOS] fail2ban needs shorewall?
Date: Wed, 23 Jul 2008 17:08:07 +0200
From: Kai Schaetzl <maillists at conactive.com>
Reply-To: CentOS mailing list <centos at centos.org>
To:
2017 Sep 11
2
Fail2ban 'Password mismatch' regex
...log line:
>> Sep 11 15:52:49 mail dovecot[54239]: auth-worker(10094): sql(user at bordo.com.au <mailto:user at bordo.com.au>,::1,<L2xqieNYeM4AAAAAAAAAAAAAAAAAAAAB>): Password mismatch (given password: 2)
>> I?ve added it as the last line of my dovecot filter regex:
>> failregex =
>> ^%(__prefix_line)s(%(__pam_auth)s(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$
>> ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((auth...
2017 Jul 29
1
under another kind of attack
...6 times within 10 minutes
enabled = true
port = smtp,ssmtp
filter = postfix
logpath = /var/log/mail.log
maxretry = 6
bantime = 600
findtime = 600
Contents of /etc/fail2ban/filter.d/postfix.conf:
# Fail2Ban configuration file
# Author: Cyril Jaquier
# $Revision$
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the
logfile. The
# host must be matched by a group named "host". The tag
"<HOST>" can
# be used for standard IP/hostname matching and is only an
alias for
# (?:::f{4,6}:)?(?P<host&...
2017 Dec 16
7
ot: fail2ban dovecot setup
...163.47.110.7, TLS, session=<xsq/An1gDN1ur/an>
Dec 17 09:55:27 imap-login: Info: Disconnected (auth failed, 2 attempts in
4 secs): user=<voytek at k..au>, method=PLAIN, rip=110.175.246.167,
lip=163.47.110.7, TLS, session=<RVUkA31gm4xur/an>
# cat dovecot-pop3imap.conf
[Definition]
failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted
login \(auth failed|Aborted login \(tried to use disabled|Disconnected
\(auth failed).*rip=(?P<host>\S*),.*
ignoreregex =
# systemctl status fail2ban
? fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/sy...
2017 Sep 11
3
Fail2ban 'Password mismatch' regex
...Fail2ban to detect this log line:
Sep 11 15:52:49 mail dovecot[54239]: auth-worker(10094): sql(user at bordo.com.au <mailto:user at bordo.com.au>,::1,<L2xqieNYeM4AAAAAAAAAAAAAAAAAAAAB>): Password mismatch (given password: 2)
I?ve added it as the last line of my dovecot filter regex:
failregex = ^%(__prefix_line)s(%(__pam_auth)s(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$
^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((auth failed, \d+ atte...
2010 Aug 01
3
fail2ban does not work for my asterisk installation
The failregex statement in my jail.conf file is:
*
failregex* = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong
password
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No
matching peer found
NOTICE.* .*: Registration fro...
2013 Aug 12
1
fail2ban
hi
dovecot filter for fail2ban do not match:
dovecot: pop3-login: Aborted login (tried to use disallowed plaintext auth): user=<>, rip=67
dovecot filter:
failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
bst regards.
2017 Mar 01
3
fail2ban Asterisk 13.13.1
...quot;%(port)s",
protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
logpath = /var/log/asterisk/messages
maxretry = 3
findtime = 300
bantime = -1
in filter.d
asterisk.conf
failregex = ^%(__prefix_line)s%(log_prefix)s Registration from '[^']*'
failed for '<HOST>(:\d+)?' - (Wrong password|Username/auth name mismatch|No
matching peer found|Not a local domain|Device does not match ACL|Peer is not
supposed to register|ACL error \(permit/deny\)|Not a local...
2013 Apr 10
3
fail2ban problem
Hello list
I'm trying to setup fail2ban specially sasl action but I'm facing problems.
I have centos-release-5-9.el5.centos.1
and
fail2ban-0.8.7.1-1.el5.rf
installed
with selinux disabled
The errors I get are:
INFO Creating new jail 'sasl-iptables'
fail2ban.comm : WARNING Invalid command: ['add', 'sasl-iptables',
'polling']
I tried gemin against
2010 Jun 10
2
Fail2ban
...cept dovecot. I have tried
using my own custom regex in conjunction with the regex on the
dovecot.org site. Neither are picked up by fail2ban and I'm trying to
use an imminent attack agaist dovecot, going on now, to my advantage to
see when I get the right regexp. Here are my current ones:
failregex = .*dovecot: (?:pop3-login|imap-login):
(?:Disconnected|Aborted login) \((?:auth failed, .* attempts|no auth
attempts)\):.*rip=<HOST>,.* <<< this is my custom
(?: pop3-login|imap-login): (?:Authentication
failure|Aborted login \(auth failed|Aborted login \(tried to u...
2017 Jul 27
1
under another kind of attack
> On 26 Jul 2017, at 7:57 pm, Olaf Hopp <Olaf.Hopp at kit.edu> wrote:
>
> Dear collegues,
>
> many thanks for your valuable input.
>
> Since we are an university GEO-IP blocking is not an option for us.
> Somestimes I think it should ;-)
>
> My "mistake" was that I had just *one* fail2ban filter for both cases:
> "wrong password" and
2015 Sep 13
4
Fail2ban
...Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_daemon = asterisk
__pid_re = (?:\[\d+\])
# All Asterisk log messages begin like this:
log_prefix= (?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])?
\S+:\d*( in \w+:)?
failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Registration
from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong
password|Username/auth name mismatch|No m$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from
'[^']*' \(<HOST>:\d+\) to extension '...
2018 May 17
2
Decoding SIP register hack
I need some help understanding SIP dialog. Some actor is trying to
access my server, but I can't figure out what he's trying to do ,or how.
I'm getting a lot of these warnings.
[May 17 10:08:08] WARNING[1532]: chan_sip.c:4068 retrans_pkt:
Retransmission timeout reached on transmission
_zIr9tDtBxeTVTY5F7z8kD7R.. for seqno 101
With SIP DEBUG I tracked the Call-ID to this INVITE :
2017 Jul 20
0
under some kind of attack
I have concoted something that seems to work. And for the archives, this
is it:
> failregex = auth: Info: ldap\(.+,<HOST>,.+\): invalid credentials \(given password: .+ssword\)
> auth: Info: ldap\(.+,<HOST>,.+\): invalid credentials \(given password: 1qaz2wsx\)
> auth: Info: ldap\(.+,<HOST>,.+\): invalid credentials \(given password: 123321\...