On 21/10/2021 21:53, Krzysztof Adamski wrote:
On Thu, 2021-10-21 at 11:38 -0400, Krzysztof Adamski wrote:
On Mon, 2021-10-18 at 10:20 -0700, James Moe via Fail2ban-users
wrote:
On 2021-10-18 07:39, Krzysztof Adamski wrote:
Oct 17 16:33:34 mailserver dovecot: auth-worker(41189): conn
unix:auth-
worker (pid=41188,uid=108): auth-worker<119>:
sql(orders,219.145.118.23,<tABXVZLOhpnbkXYX>): unknown user
(given
password: qwer1234)
I was wrong, the auth-worker failures are not being used in the
ban. Is
there anything I can change to enable the ban on this?
failregex = ^.*auth\-worker\(.*sql\(.*,<HOST>,.*\)\: unknown user
.*
Thank you for this, it matches when used on egrep (without <HOST)>)
with the mail.log file, but not when added to the failregex in
dovecot
jail.
I'm suspecting that the prefregex needs to be tweaked to now include
this new log line.
The prefregex on my system is:
prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?:
)?(?:%(__pam_auth)s(?:\(dovecot:auth\))?: |(?:pop3|imap|mana
gesieve|submission)-login: )?(?:Info: )?<F-CONTENT>.+</F-CONTENT>$
and for completeness my failregex is:
failregex = ^authentication failure; logname=<F-ALT_USER1>\S*</F-
ALT_USER1> uid=\S* euid=\S* tty=dovecot ruser=<F-USER>\S*</F-
USER> rhost=<HOST>(?:\s+user=<F-ALT_USER>\S*</F-ALT_USER>)?\s*$
^.*auth\-worker\(.*sql\(.*,<HOST>,.*\)\: unknown user .*
^(?:Aborted login|Disconnected|Remote closed
connection|Client has quit the connection)(?::(?: [^ \(]+)+)? \((?:au
th failed, \d+ attempts(?: in \d+ secs)?|tried to use
(?:disabled|disallowed) \S+ auth|proxy dest auth failed)\):(?:
user=<<F-
USER>[^>]*</F-USER>>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:,
session=<\S+>)?)\s*$
^pam\(\S+,<HOST>(?:,\S*)?\): pam_authenticate\(\) failed:
(?:User not known to the underlying authentication modul
e: \d+ Time\(s\)|Authentication failure \(password
mismatch\?\)|Permission denied)\s*$
^[a-z\-]{3,15}\(\S*,<HOST>(?:,\S*)?\): (?:unknown
user|invalid credentials|Password mismatch)
<mdre-<mode>>
K
So I have discovered 'fail2ban-regex' :-), and now I started playing
with the regular expression.
Even tho the expression provided by James matches when using website
for testing regex, it would not match in the fail2ban.
I modified the expression to:
^.*auth\-worker \(.*sql\(.*,<HOST>,.*\)\: unknown user.*
and that matches in fail2ban. What I think is the difference is that
this expression matches on the second 'auth-worker' as opposed to
James' expression matches on the first 'auth-worker'.
Could somebody explain why that is.
Thanks,
K
Aren't you then missing something like "_daemon = auth-worker" to pick
up the first occurrence of auth-worker?
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
