Re: [Fail2ban-users] Multiple attempts on a single connection

Thu, 21 Oct 2021 08:41:01 -0700 

On Mon, 2021-10-18 at 10:20 -0700, James Moe via Fail2ban-users wrote:
> On 2021-10-18 07:39, Krzysztof Adamski wrote:
> 
> > > Oct 17 16:33:34 mailserver dovecot: auth-worker(41189): conn
> > > unix:auth-
> > > worker (pid=41188,uid=108): auth-worker<119>:
> > > sql(orders,219.145.118.23,<tABXVZLOhpnbkXYX>): unknown user
> > > (given
> > > password: qwer1234)
> > > 
> > > 
> > 
> > I was wrong, the auth-worker failures are not being used in the
> > ban. Is
> > there anything I can change to enable the ban on this?
> 
> failregex = ^.*auth\-worker\(.*sql\(.*,<HOST>,.*\)\: unknown user .*

Thank you for this, it matches when used on egrep (without <HOST)>)
with the mail.log file, but not when added to the failregex in dovecot
jail.

I'm suspecting that the prefregex needs to be tweaked to now include
this new log line.

The prefregex on my system is:
prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?: 
)?(?:%(__pam_auth)s(?:\(dovecot:auth\))?: |(?:pop3|imap|mana
gesieve|submission)-login: )?(?:Info: )?<F-CONTENT>.+</F-CONTENT>$


and for completeness my failregex is:

failregex = ^authentication failure; logname=<F-ALT_USER1>\S*</F-ALT_USER1> 
uid=\S* euid=\S* tty=dovecot ruser=<F-USER>\S*</F-
USER> rhost=<HOST>(?:\s+user=<F-ALT_USER>\S*</F-ALT_USER>)?\s*$

            ^.*auth\-worker\(.*sql\(.*,<HOST>,.*\)\: unknown user .*

            ^(?:Aborted login|Disconnected|Remote closed connection|Client has 
quit the connection)(?::(?: [^ \(]+)+)? \((?:au
th failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) 
\S+ auth|proxy dest auth failed)\):(?: user=<<F-
USER>[^>]*</F-USER>>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, 
session=<\S+>)?)\s*$

            ^pam\(\S+,<HOST>(?:,\S*)?\): pam_authenticate\(\) failed: (?:User 
not known to the underlying authentication modul
e: \d+ Time\(s\)|Authentication failure \(password mismatch\?\)|Permission 
denied)\s*$

            ^[a-z\-]{3,15}\(\S*,<HOST>(?:,\S*)?\): (?:unknown user|invalid 
credentials|Password mismatch)

            <mdre-<mode>>


K


_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Reply via email to