I'm not sure what you want at the beginning for the date/time and
process id (login_saslauthd_server?) but then shouldn't the regex be
something like:
authenticator failed for \(.*\) \[<HOST>\]: 535 Incorrect authentication
data
You could get cute and regex the first IP address but it is not worth it
unless \) ends up matching the end of the set_id bit
Nick
On 2016-11-29 15:31, Drew Happli wrote:
> I am running into an issue in getting the correct regex for my Exim
> logs to be able to block/ban people who are trying to brute force
> spamming through my server. A few weeks ago we found a user's
> account that was compromised and was being used to send spam. We
> forced the user to change their password. After that we found a
> number of our userbase had older passwords. So we forced everyone to
> change their passwords. Now we are seeing tons of attempted logins
> for these accounts that are not working.
>
> I have included all relevant configs and log files below:
>
> Errors in the /var/log/exim4/mainlog:
>
> 2016-11-29 09:43:28 login_saslauthd_server authenticator failed for
> 80-110-70-179.cgn.dynamic.surfer.at ([192.168.0.80]) [80.110.70.179]:
> 535 Incorrect authentication data (set_id=axxxxxxx)
> 2016-11-29 09:43:38 login_saslauthd_server authenticator failed for
> 80-110-70-179.cgn.dynamic.surfer.at ([192.168.0.80]) [80.110.70.179]:
> 535 Incorrect authentication data (set_id=axxxxxxx)
> 2016-11-29 09:46:51 login_saslauthd_server authenticator failed for
> cpe-173-172-251-146.rgv.res.rr.com (RmJCYi) [173.172.251.146]: 535
> Incorrect authentication data (set_id=axxxxxxx)
> 2016-11-29 09:48:36 login_saslauthd_server authenticator failed for
> dynamic-194-228-20-179.ipv4.broadband.iol.cz ([10.0.0.1])
> [194.228.20.179]: 535 Incorrect authentication data (set_id=axxxxxxx)
> 2016-11-29 09:48:45 login_saslauthd_server authenticator failed for
> dynamic-194-228-20-179.ipv4.broadband.iol.cz ([10.0.0.1])
> [194.228.20.179]: 535 Incorrect authentication data (set_id=axxxxxxx)
> 2016-11-29 09:50:31 login_saslauthd_server authenticator failed for
> mm-209-81-214-37.mogilev.dynamic.pppoe.byfly.by ([192.168.1.4])
> [37.214.81.209]: 535 Incorrect authentication data (set_id=dxxxxxx)
> 2016-11-29 09:50:41 login_saslauthd_server authenticator failed for
> mm-209-81-214-37.mogilev.dynamic.pppoe.byfly.by ([192.168.1.4])
> [37.214.81.209]: 535 Incorrect authentication data (set_id=dxxxxxx)
> 2016-11-29 09:54:19 login_saslauthd_server authenticator failed for
> ([192.168.0.136]) [176.59.86.244]: 535 Incorrect authentication data
> (set_id=cxxxxxxx)
> 2016-11-29 09:54:30 login_saslauthd_server authenticator failed for
> ([192.168.0.136]) [176.59.86.244]: 535 Incorrect authentication data
> (set_id=cxxxxxxx)
> 2016-11-29 09:57:35 login_saslauthd_server authenticator failed for
> ([192.168.0.3]) [87.241.163.6]: 535 Incorrect authentication data
> (set_id=dxxxxxx)
> 2016-11-29 09:57:40 login_saslauthd_server authenticator failed for
> ([192.168.0.3]) [87.241.163.6]: 535 Incorrect authentication data
> (set_id=cxxxxxxx)
> 2016-11-29 10:18:11 login_saslauthd_server authenticator failed for
> ([10.66.0.104]) [188.68.134.108]: 535 Incorrect authentication data
> (set_id=dxxxxxx)
> 2016-11-29 10:18:21 login_saslauthd_server authenticator failed for
> ([10.66.0.104]) [188.68.134.108]: 535 Incorrect authentication data
> (set_id=cxxxxxxx)
>
> sasl.conf
>
> # Fail2Ban configuration file
> #
> # Author: Yaroslav Halchenko
> #
> # $Revision: 728 $
> #
>
> [Definition]
>
> # Option: failregex
> # Notes.: regex to match the password failures messages in the
> logfile. The
> # host must be matched by a group named "host". The tag "<HOST>" can
> # be used for standard IP/hostname matching and is only an alias for
> # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
> # Values: TEXT
> #
>
> # Bad Regexes
> # failregex = login_saslauthd_server authenticator failed for
> \[<HOST>\]: 535 Incorrect authentication data
> # failregex = ^%(pid)s \w+ authenticator failed for (\S+ )?\(\S+\)
> \[<HOST>\](?::\d+)?(?: I=\[\S+\](:\d+)?)?: 535 Incorrect
> authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$
>
> # Current regex:
>
> failregex = "\[(?P<host>(?:\d{1,3}\.){3}\d{1,3})\]: 535 Incorrect
> authentication"
>
> # Option: ignoreregex
> # Notes.: regex to ignore. If this regex matches, the line is ignored.
> # Values: TEXT
> #
> ignoreregex =
>
> jail.local:
>
> [sasl]
> enabled = true
> port = smtp
> filter = sasl
> logpath = /var/log/exim4/mainlog
> maxretry = 2
>
> Test of the regex:
>
> fail2ban-regex /var/log/exim4/mainlog /etc/fail2ban/filter.d/sasl.conf
> -v
>
> Running tests
> =============
>
> Use failregex file : /etc/fail2ban/filter.d/sasl.conf
> Use log file : /var/log/exim4/mainlog
>
> Results
> =======
>
> Failregex: 0 total
> |- #) [# of hits] regular expression
> | 1) [0] "\[(?P<host>(?:\d{1,3}\.){3}\d{1,3})\]: 535 Incorrect
> authentication"
> `-
>
> Ignoreregex: 0 total
>
> Date template hits:
> |- [# of hits] date format
> | [905] Year-Month-Day Hour:Minute:Second
> | [0] WEEKDAY MONTH Day Hour:Minute:Second[.subsecond] Year
> | [0] WEEKDAY MONTH Day Hour:Minute:Second Year
> | [0] WEEKDAY MONTH Day Hour:Minute:Second
> | [0] MONTH Day Hour:Minute:Second
> | [0] Year/Month/Day Hour:Minute:Second
> | [0] Day/Month/Year Hour:Minute:Second
> | [0] Day/Month/Year2 Hour:Minute:Second
> | [0] Day/MONTH/Year:Hour:Minute:Second
> | [0] Month/Day/Year:Hour:Minute:Second
> | [0] Year-Month-Day Hour:Minute:Second[,subsecond]
> | [0] Year.Month.Day Hour:Minute:Second
> | [0] Day-MONTH-Year Hour:Minute:Second[.Millisecond]
> | [0] Day-Month-Year Hour:Minute:Second
> | [0] Month-Day-Year Hour:Minute:Second[.Millisecond]
> | [0] TAI64N
> | [0] Epoch
> | [0] ISO 8601
> | [0] Hour:Minute:Second
> | [0] <Month/Day/Year@Hour:Minute:Second>
> | [0] YearMonthDay Hour:Minute:Second
> | [0] Month-Day-Year Hour:Minute:Second
> `-
>
> Lines: 905 lines, 0 ignored, 0 matched, 905 missed
> Missed line(s): too many to print. Use --print-all-missed to print all
> 905 lines
>
> Please let me know if I have forgotten a log file, a config file, or
> any other information that would be useful to help me solve this
> issue.
>
> Thank you.
>
> Drew.
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Fail2ban-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
------------------------------------------------------------------------------
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
