Displaying 5 results from an estimated 5 matches for "sauth".
Did you mean:
auth
2017 Sep 11
2
Fail2ban 'Password mismatch' regex
...authentication$
>> ^%(__prefix_line)s(auth|auth-worker\(\d+\)): (pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$
>> ^%(__prefix_line)s(auth|auth-worker\(\d+\)): Info: ldap\(\S*,<HOST>,\S*\): invalid credentials\s*$
>> ^%(__prefix_line)sauth: Info: sql\(\S+,<HOST>\): (Password mismatch|unknown user)( \((SHA1 of given password: [0-9a-f]{5,40}|given password: \w*)\))?$
> ^%(__prefix_line)sauth: Info: sql\(\S+,<HOST>,\<\S+\>\): (Password mismatch|unknown user)( \((SHA1 of given password: [0-9a-f]{5,40}|gi...
2017 Sep 11
3
Fail2ban 'Password mismatch' regex
...known to the underlying authentication$
^%(__prefix_line)s(auth|auth-worker\(\d+\)): (pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$
^%(__prefix_line)s(auth|auth-worker\(\d+\)): Info: ldap\(\S*,<HOST>,\S*\): invalid credentials\s*$
^%(__prefix_line)sauth: Info: sql\(\S+,<HOST>\): (Password mismatch|unknown user)( \((SHA1 of given password: [0-9a-f]{5,40}|given password: \w*)\))?$
Have spent ages googling and trying different variations.
Does anyone have a fail2ban regex that would work on the above Dovecot log line?
(Running latest version...
2017 Sep 11
0
Fail2ban 'Password mismatch' regex
...>
> Added that, but it still doesn?t match:
>
> $ fail2ban-regex "Sep 11 15:52:49 mail dovecot[54239]:
> auth-worker(10094):
> sql(user at bordo.com.au,::1,L2xqieNYeM4AAAAAAAAAAAAAAAAAAAAB>): Password
> mismatch (given password: 2)"
> "^%(__prefix_line)sauth: Info: sql\(\S+,<HOST>,\<\S+\>\): (Password
> mismatch|unknown user)( \((SHA1 of given password: [0-9a-f]{5,40}|given
> password: \w*)\))?$"
Your log has "auth-worker(10094): sql" whereas the fail2ban regex has
")sauth: Info: sql\(\". When you change th...
2017 Sep 11
0
Fail2ban 'Password mismatch' regex
...thentication$
> ^%(__prefix_line)s(auth|auth-worker\(\d+\)):
> (pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$
> ^%(__prefix_line)s(auth|auth-worker\(\d+\)): Info:
> ldap\(\S*,<HOST>,\S*\): invalid credentials\s*$
> ^%(__prefix_line)sauth: Info: sql\(\S+,<HOST>\): (Password
> mismatch|unknown user)( \((SHA1 of given password: [0-9a-f]{5,40}|given
> password: \w*)\))?$
^%(__prefix_line)sauth: Info: sql\(\S+,<HOST>,\<\S+\>\):
(Password mismatch|unknown user)( \((SHA1 of given password:
[0-9a-...
2017 Jul 25
10
under another kind of attack
Hi folks,
"somehow" similar to the thread "under some kind oof attack" started by "MJ":
I have dovecot shielded by fail2ban which works fine.
But since a few days I see many many IPs per day knocking on
my doors with wron password and/or users. But the rate at which they are knocking
is very very low. So fail2ban will never catch them.
For example one IP:
Jul 25