Hi all,
I'd appreciate some help with a regex on dovecot that I can't seem to get
right. Config is ...
patform: slackware 15 64bit
fail2ban: v0.9.4
dovecot.conf:
[INCLUDES]
before = common.conf
[Definition]
_daemon = (auth|dovecot(-auth)?|auth-worker)
failregex =
^%(__prefix_line)s(%(__pam_auth)s(\(dovecot:auth\))?:)?\s+authentication
failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S*
rhost=<HOST>(\s+user=\S*)?\s*$
^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted
login|Disconnected)(: Inactivity)? \(((auth failed, \d+ attempts)( in \d+
secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?(
method=\S+,)? rip=<HOST>
^%(__prefix_line)s(Info|dovecot:
auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\):
pam_authenticate\(\) failed: (User not known to the underlying
authentication module: \d+ Time\(s\)|Authentication failure \(password m
^%(__prefix_line)s(auth|auth-worker\(\d+\)):
(pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$
# ^%(__prefix_line)s(auth|auth-worker\(\d+\)):
(pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$
^conn unix:auth-worker \([^)]*\): auth-worker<\d+>:
passwd\(\S+,<HOST>\): unknown user\b
^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): passwd\(\S+,<HOST>\):
unknown user\s*$
^%(__prefix_line)s(auth-worker\(\d+\)): passwd\(\S+,<HOST>,\S+\):
unknown user\b
^%(__prefix_line)s passwd\(\S+,<HOST>,\S+\): unknown user\s*$
^%(__prefix_line)spasswd\(.*\,<HOST>\)\: (unknown user|Password
mismatch)\s$
ignoreregex =
[Init]
# journalmatch = _SYSTEMD_UNIT=dovecot.service
Per above, I've tried a number of variations on the regex (the last 5
regex's) but no matches. The matched entry should be found in the log:
Jan 24 22:32:11 xxx dovecot: auth-worker(1755): conn unix:auth-worker
(pid=1754,uid=94): auth-worker<35>:
passwd(aaronn,41.193.245.243,<hAkXaQjzKO0pwfXz>): unknown user
Jan 24 22:32:11 xxx dovecot: auth: Error:
passwd(aaronn,41.193.245.243,<hAkXaQjzKO0pwfXz>): user not found from userdb
Jan 24 22:32:11 xxx dovecot: imap(1804): Error: auth-master: login: request
[1420820481]: Login auth request failed: Authenticated user not found from
userdb, auth lookup id=1420820481 (auth connected 0 msecs ago, request took
0 msecs, client-pid=1802 client-id=1)
Jan 24 22:32:11 xxx dovecot: imap-login: Disconnected: Internal login
failure (pid=1802 id=1): user=<aaronn>, method=PLAIN, rip=41.193.245.243,
lip=172.16.64.253, mpid=1804, TLS, session=<hAkXaQjzKO0pwfXz>
More specifically I"m trying to match on the first line ending in "unknown
user".
My general config for dovecot:
[dovecot]
enabled = true
port = pop3,pop3s,imap,imaps,submission,465,sieve
#logpath = %(dovecot_log)s
logpath = /var/log/maillog
#backend = %(dovecot_backend)s
backend = polling
Note I've also trieds the default backend of gamin.
Regex test:
fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/dovecot.conf
--print-all-matched
Running tests
=============
Use failregex filter file : dovecot, basedir: /etc/fail2ban
Use log file : /var/log/maillog
Use encoding : UTF-8
Results
=======
Failregex: 1 total
|- #) [# of hits] regular expression
| 2) [1] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\]
)?(?:@vserver_\S+
)?(?:(?:\[\d+\])?:\s+[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?|[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?(?
:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*(pop3|imap)-login: (Info: )?(Aborted
login|Disconnected)(: Inactivity)? \(((auth failed, \d+ attempts)( in \d+
secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?(
method=\S+,)? ri
p=<HOST>(, lip=(\d{1,3}\.){3}\d{1,3})?(, TLS( handshaking(: SSL_accept\(\)
failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown
protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [170366] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?:
Year)?
`-
Lines: 170366 lines, 0 ignored, 1 matched, 170365 missed
[processed in 54.97 sec]
|- Matched line(s):
| Jan 23 09:53:21 xxx dovecot: pop3-login: Disconnected: Inactivity (auth
failed, 1 attempts in 0 secs): user=<r...@surgcare.co.za>,
rip=45.82.65.138, lip=172.16.64.253, session=<bA23punyMLMtUkGK>
`-
Missed line(s): too many to print. Use --print-all-missed to print all
170365 lines
So not matching on any of my regex's. I've tried regextester with:
passwd\(\S+,,\S+\): unknown user\s*$
And that matches (I removed the IP as fail2ban with substitute with <HOST>)
on the following log:
Jan 24 22:32:11 xxx dovecot: auth-worker(1755): conn unix:auth-worker
(pid=1754,uid=94): auth-worker<35>: *passwd(aaronn,,<hAkXaQjzKO0pwfXz>):
unknown user*
But the same regex (my 2nd last entry) in fail2ban doesn't work. Not sure
where to go from here. Any help is appreciated.
--
Robby
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
