Oh, maybe it was all those auth failed messages.... 

On July 12, 2018 10:30:47 AM CEST, Sophie Loewenthal <sop...@klunky.co.uk> 
wrote:
>Hi Nick,
>
>Here you go.  domain name/users have been obfuscated.
>
>
>Running tests
>=============
>
>Use   failregex filter file : dovecot, basedir: /etc/fail2ban
>Use         log file : /var/log/mail.log.1
>Use         encoding : UTF-8
>
>
>Results
>=======
>
>Failregex: 11 total
>|-  #) [# of hits] regular expression
>|   4) [11] dovecot:.+auth failed.+rip=<HOST>
>`-
>
>Ignoreregex: 0 total
>
>Date template hits:
>|- [# of hits] date format
>|  [6128] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?:
>Year)?
>`-
>
>Lines: 6128 lines, 0 ignored, 11 matched, 6117 missed
>[processed in 0.78 sec]
>
>|- Matched line(s):
>|  Jul 11 20:16:48 mx10 dovecot: imap-login: Disconnected (auth failed,
>2 attempts in 8 secs): us...@example.co.uk>, method=PLAIN,
>rip=94.109.31.39, lip=172.31.1.100, TLS, TLSv1.2 with cipher
>ECDHE-RSA-AES256-SHA (256/256 bits)
>|  Jul 11 20:16:52 mx10 dovecot: imap-login: Disconnected (auth failed,
>2 attempts in 12 secs): us...@example.co.uk>, method=PLAIN,
>rip=94.109.31.39, lip=172.31.1.100, TLS, TLSv1.2 with cipher
>ECDHE-RSA-AES256-SHA (256/256 bits)
>|  Jul 11 20:16:52 mx10 dovecot: imap-login: Disconnected (auth failed,
>2 attempts in 12 secs): us...@example.co.uk>, method=PLAIN,
>rip=94.109.31.39, lip=172.31.1.100, TLS, TLSv1.2 with cipher
>ECDHE-RSA-AES256-SHA (256/256 bits)
>|  Jul 11 20:16:52 mx10 dovecot: imap-login: Disconnected (auth failed,
>2 attempts in 12 secs): us...@example.co.uk>, method=PLAIN,
>rip=94.109.31.39, lip=172.31.1.100, TLS, TLSv1.2 with cipher
>ECDHE-RSA-AES256-SHA (256/256 bits)
>|  Jul 11 20:16:52 mx10 dovecot: imap-login: Disconnected (auth failed,
>2 attempts in 12 secs): us...@example.co.uk>, method=PLAIN,
>rip=94.109.31.39, lip=172.31.1.100, TLS, TLSv1.2 with cipher
>ECDHE-RSA-AES256-SHA (256/256 bits)
>|  Jul 11 20:16:52 mx10 dovecot: imap-login: Disconnected (auth failed,
>2 attempts in 12 secs): us...@example.co.uk>, method=PLAIN,
>rip=94.109.31.39, lip=172.31.1.100, TLS, TLSv1.2 with cipher
>ECDHE-RSA-AES256-SHA (256/256 bits)
>|  Jul 11 20:19:26 mx10 dovecot: imap-login: Disconnected (auth failed,
>1 attempts in 2 secs): us...@example.co.uk>, method=PLAIN,
>rip=127.0.0.1, lip=127.0.0.1, secured
>|  Jul 11 20:19:57 mx10 dovecot: imap-login: Disconnected (auth failed,
>1 attempts in 2 secs): us...@example.co.uk>, method=PLAIN,
>rip=127.0.0.1, lip=127.0.0.1, secured
>|  Jul 11 20:23:21 mx10 dovecot: imap-login: Disconnected (auth failed,
>1 attempts in 2 secs): us...@example.co.uk>, method=PLAIN,
>rip=127.0.0.1, lip=127.0.0.1, secured
>|  Jul 11 20:33:53 mx10 dovecot: imap-login: Disconnected (auth failed,
>1 attempts in 2 secs): us...@example.co.uk>, method=PLAIN,
>rip=127.0.0.1, lip=127.0.0.1, secured
>|  Jul 12 00:47:33 mx10 dovecot: imap-login: Disconnected (auth failed,
>1 attempts in 3 secs): ju...@example.co.uk>, method=PLAIN,
>rip=61.231.17.69, lip=172.31.1.100, TLS: Disconnected, TLSv1 with
>cipher ECDHE-RSA-AES256-SHA (256/256 bits)
>`-
>Missed line(s): too many to print.  Use --print-all-missed to print all
>6117 lines
>
>
>
>> On 12 Jul 2018, at 09:50, Nick Howitt <n...@howitts.co.uk> wrote:
>> 
>> Sorry. should have replied to list.
>> 
>> Add --print-all-matched to the fail2ban-regex command
>> 
>> On 12/07/2018 07:59, Sophie Loewenthal wrote:
>>> 
>>> Morning,
>>> 
>>> A new K9 Mail client gets banned all the time and I am trying to
>work out why.
>>> I have this regex:
>>> failregex =
>auth:.+dovecot:auth.+authentication\s+failure;.+rhost=<HOST>
>>>             dovecot:.+rip=<HOST>.+wrong version number
>>>             dovecot:.+tried to use disallowed plaintext
>auth.+rip=<HOST>
>>>             dovecot:.+auth failed.+rip=<HOST>
>>>             dovecot:.+no auth attemps.+rip=<HOST>
>>> The mail.log has lines like these. The last line spams the log
>several times a second.
>>> Jul 11 06:03:12 mx10 dovecot: imap-login: Login: us...@example.org>,
>method=PLAIN, rip=94.109.25.57, lip=172.31.1.100, mpid=17126, TLS,
>TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
>>> Jul 11 06:23:07 mx10 dovecot: imap(us...@example.co.uk): Connection
>closed (IDLE running for 0.001 + waiting input for 688.172 secs, 2 B in
>+ 10+0 B out, state=wait-input) in=179 out=1726
>>> user2
>>> So I tested the regex and had 11 hits - Unsure how to show those
>matched lines.
>>> # fail2ban-regex /var/log/mail.log.1 `pwd`/filter.d/dovecot.conf -r
>>> 
>>> Running tests
>>> =============
>>> 
>>> Use failregex filter file : dovecot, basedir: /etc/fail2ban
>>> Use log file : /var/log/mail.log.1
>>> Use encoding : UTF-8
>>> 
>>> 
>>> Results
>>> =======
>>> 
>>> Failregex: 11 total
>>> |- #) [# of hits] regular expression
>>> | 4) [11] dovecot:.+auth failed.+rip=<HOST>
>>> `-
>>> 
>>> Ignoreregex: 0 total
>>> 
>>> Date template hits:
>>> |- [# of hits] date format
>>> | [6128] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?:
>Year)?
>>> `-
>>> 
>>> Lines: 6128 lines, 0 ignored, 11 matched, 6117 missed
>>> [processed in 0.77 sec]
>>> 
>>> Missed line(s): too many to print. Use --print-all-missed to print
>all 6117 lines
>>> For the timebeing I have set the IPs in the ignoreip regex.
>>> I've not seen the dovecot message "Connection closed (IDLE running
>for 0.001 + waiting input for"  before. I don't know what it means, but
>the logs sometimes get spammed by it from K9 Mail.
>>> Has anyone seen this afore?
>>> Best, Sophie
>>> 
>>> 
>>>
>------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> 
>>> 
>>> _______________________________________________
>>> Fail2ban-users mailing list
>>> Fail2ban-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>> 
>> 
>>
>------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Fail2ban-users mailing list
>> Fail2ban-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
>
>------------------------------------------------------------------------------
>Check out the vibrant tech community on one of the world's most
>engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>_______________________________________________
>Fail2ban-users mailing list
>Fail2ban-users@lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/fail2ban-users

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Reply via email to