On Fri, 2021-10-22 at 12:11 +0100, Nick Howitt via Fail2ban-users
wrote:
>
> On 21/10/2021 21:53, Krzysztof Adamski wrote:
> > On Thu, 2021-10-21 at 11:38 -0400, Krzysztof Adamski wrote:
> > > On Mon, 2021-10-18 at 10:20 -0700, James Moe via Fail2ban-users
> > > wrote:
> > > > On 2021-10-18 07:39, Krzysztof Adamski wrote:
> > > >
> > > > > > Oct 17 16:33:34 mailserver dovecot: auth-worker(41189):
> > > > > > conn
> > > > > > unix:auth-
> > > > > > worker (pid=41188,uid=108): auth-worker<119>:
> > > > > > sql(orders,219.145.118.23,<tABXVZLOhpnbkXYX>): unknown user
> > > > > > (given
> > > > > > password: qwer1234)
> > > > > >
> > > > > >
> > > > >
> > > > > I was wrong, the auth-worker failures are not being used in
> > > > > the
> > > > > ban. Is
> > > > > there anything I can change to enable the ban on this?
> > > >
> > > > failregex = ^.*auth\-worker\(.*sql\(.*,<HOST>,.*\)\: unknown
> > > > user
> > > > .*
> > >
> > > Thank you for this, it matches when used on egrep (without
> > > <HOST)>)
> > > with the mail.log file, but not when added to the failregex in
> > > dovecot
> > > jail.
> > >
> > > I'm suspecting that the prefregex needs to be tweaked to now
> > > include
> > > this new log line.
> > >
> > > The prefregex on my system is:
> > > prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?:
> > > )?(?:%(__pam_auth)s(?:\(dovecot:auth\))?: |(?:pop3|imap|mana
> > > gesieve|submission)-login: )?(?:Info: )?<F-CONTENT>.+</F-
> > > CONTENT>$
> > >
> > >
> > > and for completeness my failregex is:
> > >
> > > failregex = ^authentication failure; logname=<F-ALT_USER1>\S*</F-
> > > ALT_USER1> uid=\S* euid=\S* tty=dovecot ruser=<F-USER>\S*</F-
> > > USER> rhost=<HOST>(?:\s+user=<F-ALT_USER>\S*</F-ALT_USER>)?\s*$
> > >
> > > ^.*auth\-worker\(.*sql\(.*,<HOST>,.*\)\: unknown
> > > user .*
> > >
> > > ^(?:Aborted login|Disconnected|Remote closed
> > > connection|Client has quit the connection)(?::(?: [^ \(]+)+)?
> > > \((?:au
> > > th failed, \d+ attempts(?: in \d+ secs)?|tried to use
> > > (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\):(?:
> > > user=<<F-
> > > USER>[^>]*</F-USER>>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:,
> > > session=<\S+>)?)\s*$
> > >
> > > ^pam\(\S+,<HOST>(?:,\S*)?\): pam_authenticate\(\)
> > > failed:
> > > (?:User not known to the underlying authentication modul
> > > e: \d+ Time\(s\)|Authentication failure \(password
> > > mismatch\?\)|Permission denied)\s*$
> > >
> > > ^[a-z\-]{3,15}\(\S*,<HOST>(?:,\S*)?\): (?:unknown
> > > user|invalid credentials|Password mismatch)
> > >
> > > <mdre-<mode>>
> > >
> > >
> > > K
> > >
> >
> > So I have discovered 'fail2ban-regex' :-), and now I started
> > playing
> > with the regular expression.
> > Even tho the expression provided by James matches when using
> > website
> > for testing regex, it would not match in the fail2ban.
> > I modified the expression to:
> > ^.*auth\-worker \(.*sql\(.*,<HOST>,.*\)\: unknown user.*
> > and that matches in fail2ban. What I think is the difference is
> > that
> > this expression matches on the second 'auth-worker' as opposed to
> > James' expression matches on the first 'auth-worker'.
> >
> > Could somebody explain why that is.
> >
> > Thanks,
> > K
>
> Aren't you then missing something like "_daemon = auth-worker" to
> pick
> up the first occurrence of auth-worker?
OK, that explains it I think, the definitions are as follow:
[Definition]
_auth_worker = (?:dovecot: )?auth(?:-worker)?
_daemon = (?:dovecot(?:-auth)?|auth)
The first auth is eaten by the _daemon definition.
Thanks,
K
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
