On 2017-09-11 08:57, James Brown wrote:
I have turned on 'auth_debug_passwords=yes’ in dovecot.conf.
I’m trying to get Fail2ban to detect this log line:
Sep 11 15:52:49 mail dovecot[54239]: auth-worker(10094):
sql([email protected]
<mailto:[email protected]>,::1,<L2xqieNYeM4AAAAAAAAAAAAAAAAAAAAB>):
Password mismatch (given password: 2)
I’ve added it as the last line of my dovecot filter regex:
failregex =
^%(__prefix_line)s(%(__pam_auth)s(\(dovecot:auth\))?:)?\s+authentication
failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S*
rhost=<HOST>(\s+user=\S*)?\s*$
^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted
login|Disconnected)(: Inactivity)? \(((auth failed, \d+ attempts)( in
\d+ secs)?|tried to use (disabled|disallo$
^%(__prefix_line)s(Info|dovecot:
auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\):
pam_authenticate\(\) failed: (User not known to the underlying
authentication$
^%(__prefix_line)s(auth|auth-worker\(\d+\)):
(pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$
^%(__prefix_line)s(auth|auth-worker\(\d+\)): Info:
ldap\(\S*,<HOST>,\S*\): invalid credentials\s*$
^%(__prefix_line)sauth: Info: sql\(\S+,<HOST>\): (Password
mismatch|unknown user)( \((SHA1 of given password: [0-9a-f]{5,40}|given
password: \w*)\))?$
^%(__prefix_line)sauth: Info: sql\(\S+,<HOST>,\<\S+\>\):
(Password mismatch|unknown user)( \((SHA1 of given password:
[0-9a-f]{5,40}|given password: \w*)\))?$
^^^^^^^
You are missing the ID after the host part.
Have spent ages googling and trying different variations.
Does anyone have a fail2ban regex that would work on the above Dovecot
log line?
(Running latest versions of Dovecot and fail2ban)
Many thanks,
James.
--
Christian Kivalo
