> On 11 Sep 2017, at 5:10 pm, Christian Kivalo <[email protected]> wrote: > > On 2017-09-11 08:57, James Brown wrote: >> I have turned on 'auth_debug_passwords=yes’ in dovecot.conf. >> I’m trying to get Fail2ban to detect this log line: >> Sep 11 15:52:49 mail dovecot[54239]: auth-worker(10094): >> sql([email protected] >> <mailto:[email protected]>,::1,<L2xqieNYeM4AAAAAAAAAAAAAAAAAAAAB>): Password >> mismatch (given password: 2) >> I’ve added it as the last line of my dovecot filter regex: >> failregex = >> ^%(__prefix_line)s(%(__pam_auth)s(\(dovecot:auth\))?:)?\s+authentication >> failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* >> rhost=<HOST>(\s+user=\S*)?\s*$ >> ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted >> login|Disconnected)(: Inactivity)? \(((auth failed, \d+ attempts)( in \d+ >> secs)?|tried to use (disabled|disallo$ >> ^%(__prefix_line)s(Info|dovecot: >> auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\): pam_authenticate\(\) >> failed: (User not known to the underlying authentication$ >> ^%(__prefix_line)s(auth|auth-worker\(\d+\)): >> (pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$ >> ^%(__prefix_line)s(auth|auth-worker\(\d+\)): Info: >> ldap\(\S*,<HOST>,\S*\): invalid credentials\s*$ >> ^%(__prefix_line)sauth: Info: sql\(\S+,<HOST>\): (Password >> mismatch|unknown user)( \((SHA1 of given password: [0-9a-f]{5,40}|given >> password: \w*)\))?$ > ^%(__prefix_line)sauth: Info: sql\(\S+,<HOST>,\<\S+\>\): > (Password mismatch|unknown user)( \((SHA1 of given password: > [0-9a-f]{5,40}|given password: \w*)\))?$ > ^^^^^^^ > You are missing the ID after the host part. > -- > Christian Kivalo > Many thanks Christian.
Added that, but it still doesn’t match: $ fail2ban-regex "Sep 11 15:52:49 mail dovecot[54239]: auth-worker(10094): sql([email protected],::1,<L2xqieNYeM4AAAAAAAAAAAAAAAAAAAAB>): Password mismatch (given password: 2)" "^%(__prefix_line)sauth: Info: sql\(\S+,<HOST>,\<\S+\>\): (Password mismatch|unknown user)( \((SHA1 of given password: [0-9a-f]{5,40}|given password: \w*)\))?$" Running tests ============= Use failregex line : ^%(__prefix_line)sauth: Info: sql\(\S+,<HOST>,\<\S... Use single line : Sep 11 15:52:49 mail dovecot[54239]: auth-worker(1... Results ======= Failregex: 0 total Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [1] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)? `- Lines: 1 lines, 0 ignored, 0 matched, 1 missed [processed in 0.00 sec] |- Missed line(s): | Sep 11 15:52:49 mail dovecot[54239]: auth-worker(10094): sql([email protected],::1,<L2xqieNYeM4AAAAAAAAAAAAAAAAAAAAB>): Password mismatch (given password: 2) `- Any other suggestions? Thanks, James.
smime.p7s
Description: S/MIME cryptographic signature
