Hi, Sorry for the delay. Flu.
Will fail2ban act on these example lines below with the extra cipher details? I know the lines below would not trigger actions because there are not enough failures in the log. Normally dovecot does not have the TLS/cipher part logged. Will the regexes still matched correctly? Mar 11 08:52:04 mx10 dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): hid...@example.co.uk>, method=PLAIN, rip=125.69.11.254, lip=10.1.1.100, TLS: Disconnected, TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) Mar 11 10:18:24 mx10 dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): ju...@example.co.uk>, method=PLAIN, rip=37.59.8.29, lip=10.1.1.100, TLS: Disconnected, TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits) Mar 11 11:48:04 mx10 dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): neoc...@example.co.uk>, method=PLAIN, rip=178.216.98.75, lip=10.1.1.100, TLS: Disconnected, TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits) Mar 11 13:37:39 mx10 dovecot: imap-login: Aborted login (auth failed, 4 attempts in 26 secs): junk4>, method=PLAIN, rip=71.213.169.18, lip=10.1.1.100, TLS, TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits) Mar 11 13:37:40 mx10 dovecot: imap-login: Aborted login (auth failed, 4 attempts in 26 secs): junk4>, method=PLAIN, rip=187.67.197.100, lip=10.1.1.100, TLS, TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits) Mar 11 22:35:24 mx10 dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): hid...@example.co.uk>, method=PLAIN, rip=182.100.218.83, lip=10.1.1.100, TLS, TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) The jails are enabled in the config. I’ve not see a match for 3 months since I installed the server. [dovecot] port = imap,imaps,sieve logpath = %(dovecot_log)s backend = %(dovecot_backend)s [sieve] port = smtp,465,submission logpath = %(dovecot_log)s backend = %(dovecot_backend)s > On 6 Mar 2018, at 10:50, Tom Hendrikx <t...@whyscream.net> wrote: > > > > On 06-03-18 08:59, Sophie Loewenthal wrote: >> Morning, >> >> My logging from and postfix dovecot is in this format: >> >> Mar 6 07:49:45 mx dovecot: imap-login: Login: sop...@example.com>, >> method=PLAIN, rip=94.19.2.3, lip=1.31.1.3, mpid=10655, TLS, TLSv1.2 with >> cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) >> >> Mar 6 07:55:36 mx postfix/smtpd[10793]: Anonymous TLS connection >> established from unknown[94.19.2.3]: TLSv1.2 with cipher >> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) >> >> How can I adapt the filter to pick this up? I don’t think the regex in >> filter.d/postfix.conf|dovecot.conf will pick these changed lines up because >> they have the ciphers included, will they? > > Lines that are not understood/matched by fail2ban are ignored. > > I don't think these lines signify anything that fail2ban should act on, > but please explain what you would like fail2ban to do, based on those > log lines? > >> >> Best wishes, >> >> Sophie >> >> >> >> >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Fail2ban-users mailing list >> Fail2ban-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users >> > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Fail2ban-users mailing list > Fail2ban-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fail2ban-users ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
