Hi,

you can test this using the fail2ban-regex tool. When I use one of your
example lines, it doesn't match on my setup (ubuntu 16.04, fail2ban
0.9.3). The similar logline from own setup doesn match:

Feb 19 03:02:33 alison dovecot: imap-login: Disconnected (auth failed, 1
attempts in 7 secs): user=<john...@example.net>, method=PLAIN,
rip=127.0.0.1, lip=127.0.0.1, TLS, session=<e1LxFYdlwKbes9bZ>

The latest config file for dovecot in github is completely different
from the one I'm using, but also lacks support for this AFAICS.

I guess we could come up with a regex that would support your log lines too.

Kind regards,
        Tom

On 12-03-18 10:02, Sophie Loewenthal wrote:
> Hi, 
> 
> Sorry for the delay. Flu.
> 
> Will fail2ban act on these example lines below with the extra cipher details?
> 
> I know the lines below would not trigger actions because there are not enough 
> failures in the log. Normally dovecot does not have the TLS/cipher part 
> logged. Will the regexes still matched correctly?
> 
> 
> Mar 11 08:52:04 mx10 dovecot: imap-login: Disconnected (auth failed, 1 
> attempts in 2 secs): hid...@example.co.uk>, method=PLAIN, rip=125.69.11.254, 
> lip=10.1.1.100, TLS: Disconnected, TLSv1 with cipher DHE-RSA-AES256-SHA 
> (256/256 bits)
> Mar 11 10:18:24 mx10 dovecot: imap-login: Disconnected (auth failed, 1 
> attempts in 2 secs): ju...@example.co.uk>, method=PLAIN, rip=37.59.8.29, 
> lip=10.1.1.100, TLS: Disconnected, TLSv1 with cipher ECDHE-RSA-AES256-SHA 
> (256/256 bits)
> Mar 11 11:48:04 mx10 dovecot: imap-login: Disconnected (auth failed, 1 
> attempts in 2 secs): neoc...@example.co.uk>, method=PLAIN, rip=178.216.98.75, 
> lip=10.1.1.100, TLS: Disconnected, TLSv1 with cipher ECDHE-RSA-AES256-SHA 
> (256/256 bits)
> Mar 11 13:37:39 mx10 dovecot: imap-login: Aborted login (auth failed, 4 
> attempts in 26 secs): junk4>, method=PLAIN, rip=71.213.169.18, 
> lip=10.1.1.100, TLS, TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
> Mar 11 13:37:40 mx10 dovecot: imap-login: Aborted login (auth failed, 4 
> attempts in 26 secs): junk4>, method=PLAIN, rip=187.67.197.100, 
> lip=10.1.1.100, TLS, TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
> Mar 11 22:35:24 mx10 dovecot: imap-login: Disconnected (auth failed, 1 
> attempts in 2 secs): hid...@example.co.uk>, method=PLAIN, rip=182.100.218.83, 
> lip=10.1.1.100, TLS, TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
> 
> 
> The jails are enabled in the config. I’ve not see a match for 3 months since 
> I installed the server.
> [dovecot]
> port    = imap,imaps,sieve
> logpath = %(dovecot_log)s
> backend = %(dovecot_backend)s
> 
> [sieve]
> port   = smtp,465,submission
> logpath = %(dovecot_log)s
> backend = %(dovecot_backend)s
> 
> 
> 
> 
>> On 6 Mar 2018, at 10:50, Tom Hendrikx <t...@whyscream.net> wrote:
>>
>>
>>
>> On 06-03-18 08:59, Sophie Loewenthal wrote:
>>> Morning, 
>>>
>>> My logging from and postfix dovecot is in this format:
>>>
>>> Mar  6 07:49:45 mx dovecot: imap-login: Login: sop...@example.com>, 
>>> method=PLAIN, rip=94.19.2.3, lip=1.31.1.3, mpid=10655, TLS, TLSv1.2 with 
>>> cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
>>>
>>> Mar  6 07:55:36 mx postfix/smtpd[10793]: Anonymous TLS connection 
>>> established from unknown[94.19.2.3]: TLSv1.2 with cipher 
>>> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
>>>
>>> How can I adapt the filter to pick this up? I don’t think the regex in  
>>> filter.d/postfix.conf|dovecot.conf will pick these changed lines up because 
>>> they have the ciphers included, will they?
>>
>> Lines that are not understood/matched by fail2ban are ignored.
>>
>> I don't think these lines signify anything that fail2ban should act on,
>> but please explain what you would like fail2ban to do, based on those
>> log lines?
>>
>>>
>>> Best wishes,
>>>
>>> Sophie 
>>>
>>>
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> Fail2ban-users mailing list
>>> Fail2ban-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Fail2ban-users mailing list
>> Fail2ban-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
> 
> 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
> 

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Reply via email to