Sorry. should have replied to list.

Add --print-all-matched to the fail2ban-regex command

On 12/07/2018 07:59, Sophie Loewenthal wrote:

Morning,

A new K9 Mail client gets banned all the time and I am trying to work out why.
I have this regex:
failregex = auth:.+dovecot:auth.+authentication\s+failure;.+rhost=<HOST>
            dovecot:.+rip=<HOST>.+wrong version number
            dovecot:.+tried to use disallowed plaintext auth.+rip=<HOST>
            dovecot:.+auth failed.+rip=<HOST>
            dovecot:.+no auth attemps.+rip=<HOST>
The mail.log has lines like these. The last line spams the log several times a second. Jul 11 06:03:12 mx10 dovecot: imap-login: Login: us...@example.org>, method=PLAIN, rip=94.109.25.57, lip=172.31.1.100, mpid=17126, TLS, TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits) Jul 11 06:23:07 mx10 dovecot: imap(us...@example.co.uk): Connection closed (IDLE running for 0.001 + waiting input for 688.172 secs, 2 B in + 10+0 B out, state=wait-input) in=179 out=1726
user2
So I tested the regex and had 11 hits - Unsure how to show those matched lines.
# fail2ban-regex /var/log/mail.log.1 `pwd`/filter.d/dovecot.conf -r

Running tests
=============

Use failregex filter file : dovecot, basedir: /etc/fail2ban
Use log file : /var/log/mail.log.1
Use encoding : UTF-8


Results
=======

Failregex: 11 total
|- #) [# of hits] regular expression
| 4) [11] dovecot:.+auth failed.+rip=<HOST>
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
| [6128] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
`-

Lines: 6128 lines, 0 ignored, 11 matched, 6117 missed
[processed in 0.77 sec]

Missed line(s): too many to print. Use --print-all-missed to print all 6117 lines
For the timebeing I have set the IPs in the ignoreip regex.
I've not seen the dovecot message "Connection closed (IDLE running for 0.001 + waiting input for"  before. I don't know what it means, but the logs sometimes get spammed by it from K9 Mail.
Has anyone seen this afore?
Best, Sophie


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Reply via email to