For my use case, it’s overkill…no need to have all modes enabled...
> On Jul 7, 2020, at 12:30 PM, Nick Howitt <n...@howitts.co.uk> wrote: > > Why couldn't you just enable aggressive mode? > > On 07/07/2020 20:27, Antonio Leding wrote: >> Thanks Nick & Graham — I have this working now and wanted to provide some >> quick notes for those who might walk down this path in the future: >> >> RE can be tested using the “fail2ban-regex” command — I found this >> incredibly helpful. >> New RE and mode changes can be placed into the desired [ FILTER ].local >> file. In my case, this was the postfix.local file. In fact, I would think >> this is preferred so as to leave all of the *.conf files as is. >> I was able to create a new mode (must include both 'mdpr' & 'mdre') and >> enable it in my postfix.local file. No changes to the postfix.conf file >> were required. >> It is important to not forget the 'mdpr' piece of this. That is what was >> missing from the code I posted earlier. >> Here is the code I used: >> >> [Definition] >> >> mdpr-auth3 = warning: >> mdre-auth3= ^[^[]*\[<HOST>\]%(_port)s: SASL >> ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed: >> >> mode = auth3 >> >> >> Have fun... >> >> >> >>> On Jul 6, 2020, at 2:18 AM, Nick Howitt <n...@howitts.co.uk >>> <mailto:n...@howitts.co.uk>> wrote: >>> >>> >>> >>> On 06/07/2020 09:41, Graham wrote: >>>> On Mon, 6 Jul 2020, Antonio Leding wrote: >>>> >>>>> Date: Mon, 6 Jul 2020 04:38:14 >>>>> From: Antonio Leding <t...@leding.net <mailto:t...@leding.net>> >>>>> To: fail2ban-users@lists.sourceforge.net >>>>> <mailto:fail2ban-users@lists.sourceforge.net> >>>>> Subject: [Fail2ban-users] Parsing "Invalid authentication mechanism" in >>>>> postfix >>>>> >>>>> I have a Postfix + fail2ban configured to ban when it encounters SASL auth >>>>> errors. While most SALS errors do result in a ban, the following does not: >>>>> "SASL LOGIN authentication failed: Invalid authentication mechanism” >>>>> >>>> ... >>>>> mdre-auth = ^[^[]*\[<HOST>\]%(_port)s: SASL >>>>> ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection >>>>> lost to authentication server| Invalid authentication mechanism) >>>> >>>> ... >>>> >>>> Hello Antonio, >>>> >>>> I cannot test my thinking, but I see "-MD5" in the regular expression, >>>> but not in the sample that you gave - hence the expression would match >>>> "LOGIN-MD5" but not "LOGIN auth ...". >>>> >>>> I hope this helps you, >>> I find the level/overrides in the postfix filer confusing at the best of >>> times, but , having another go at it, the mdre-auth filter is only >>> triggered if you set mode to mdre-extra. For mdre-auth2 you need mode = >>> mdre-aggressive. >>> If you set mdre-auth3, it will never be included anywhere unless you adjust >>> the modes. I think all you want is in the mdre-auth2 filter, so you just >>> want to enable the aggressive mode. >>> >>> As far as I can see the MD5 bit is a red herring as it belongs to the >>> (?:CRAM|DIGEST) part of the regex only. >>> >>> In the mdre-auth regex the (?! Connection lost to authentication server| >>> Invalid authentication mechanism) is a negative lookahead, so at least >>> excludes "Connection lost to authentication server" and may also exclude >>> your "Invalid authentication mechanism", but it is pushing my regex >>> knowledge. If I am right then just enabling mdre-auth2 will be good enough. >>> >>> Regards, >>> >>> Nick >>> >>> >>> >>> _______________________________________________ >>> Fail2ban-users mailing list >>> Fail2ban-users@lists.sourceforge.net >>> <mailto:Fail2ban-users@lists.sourceforge.net> >>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users >>> <https://lists.sourceforge.net/lists/listinfo/fail2ban-users> >
_______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
