Package: fail2ban Version: 0.8.3-2 Severity: normal when using postfix with dovecot as the SASL authenticator, it logs failed login attempts like this:
----CUT---- Dec 2 22:24:22 hel postfix/smtpd[7676]: warning: 114-44-142-233.dynamic.hinet.net[114.44.142.233]: SASL CRAM-MD5 authentication failed: PDc3OTEwNTkyNTEyMzA2NDIuMTIyODI1MzA2MUBoZWw+ Dec 2 22:24:32 hel postfix/smtpd[7676]: warning: 114-44-142-233.dynamic.hinet.net[114.44.142.233]: SASL CRAM-MD5 authentication failed: PDkxNjk1MjY1MzY1NjIzMzAuMTIyODI1MzA3MUBoZWw+ ----CUT---- the current pattern in /etc/fail2ban/filters.d/sasl.conf does not match those lines. Adding the line below fixes it: ----CUT---- --- sasl.conf.orig 2008-12-06 18:16:21.000000000 +0100 +++ sasl.conf 2008-12-06 18:21:37.000000000 +0100 @@ -15,6 +15,7 @@ # Values: TEXT # failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed$ + : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed: \w+ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. ----CUT---- Furthermore, at least with postfix (don't know with exim etc.), authentication failures have log priority warn and are thus logged into /var/log/mail.warn. So using /var/log/mail.warn instead of /var/log/mail.log would be a good idea as well, because mail.log is significantly larger than mail.warn -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.22-2-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages fail2ban depends on: ii lsb-base 3.2-18 Linux Standard Base 3.2 init scrip ii python 2.5.2-3 An interactive high-level object-o ii python-central 0.6.8 register and build utility for Pyt Versions of packages fail2ban recommends: ii iptables 1.3.8.0debian1-1 administration tools for packet fi ii whois 4.7.24 the GNU whois client -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
