Re: [Fail2ban-users] Regex for dovecot not working

Wed, 25 Jan 2023 04:39:15 -0800 

Hi Robby.
I think You have to use the /var/log/dovecot.log file (change in Your jail.local or jail.conf) 

Hope it helps

/Finn
Den 25-01-2023 kl. 12:05 skrev Robby Pedrica:

Hi all,


I'd appreciate some help with a regex on dovecot that I can't seem to 
get right. Config is ...


patform: slackware 15 64bit
fail2ban: v0.9.4

dovecot.conf:

[INCLUDES]

before = common.conf

[Definition]

_daemon = (auth|dovecot(-auth)?|auth-worker)


failregex = 
^%(__prefix_line)s(%(__pam_auth)s(\(dovecot:auth\))?:)?\s+authentication 
failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* 
rhost=<HOST>(\s+user=\S*)?\s*$
            ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted 
login|Disconnected)(: Inactivity)? \(((auth failed, \d+ attempts)( in 
\d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( 
user=<\S*>,)?( method=\S+,)? rip=<HOST>
            ^%(__prefix_line)s(Info|dovecot: 
auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\): 
pam_authenticate\(\) failed: (User not known to the underlying 
authentication module: \d+ Time\(s\)|Authentication failure \(password m
            ^%(__prefix_line)s(auth|auth-worker\(\d+\)): 
(pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$
#       ^%(__prefix_line)s(auth|auth-worker\(\d+\)): 
(pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$
        ^conn unix:auth-worker \([^)]*\): auth-worker<\d+>: 
passwd\(\S+,<HOST>\): unknown user\b
        ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): 
passwd\(\S+,<HOST>\): unknown user\s*$
        ^%(__prefix_line)s(auth-worker\(\d+\)): 
passwd\(\S+,<HOST>,\S+\): unknown user\b

        ^%(__prefix_line)s passwd\(\S+,<HOST>,\S+\): unknown user\s*$

        ^%(__prefix_line)spasswd\(.*\,<HOST>\)\: (unknown user|Password 
mismatch)\s$


ignoreregex =

[Init]

# journalmatch = _SYSTEMD_UNIT=dovecot.service


Per above, I've tried a number of variations on the regex (the last 5 
regex's) but no matches. The matched entry should be found in the log:



Jan 24 22:32:11 xxx dovecot: auth-worker(1755): conn unix:auth-worker 
(pid=1754,uid=94): auth-worker<35>: 
passwd(aaronn,41.193.245.243,<hAkXaQjzKO0pwfXz>): unknown user
Jan 24 22:32:11 xxx dovecot: auth: Error: 
passwd(aaronn,41.193.245.243,<hAkXaQjzKO0pwfXz>): user not found from userdb
Jan 24 22:32:11 xxx dovecot: imap(1804): Error: auth-master: login: 
request [1420820481]: Login auth request failed: Authenticated user not 
found from userdb, auth lookup id=1420820481 (auth connected 0 msecs 
ago, request took 0 msecs, client-pid=1802 client-id=1)
Jan 24 22:32:11 xxx dovecot: imap-login: Disconnected: Internal login 
failure (pid=1802 id=1): user=<aaronn>, method=PLAIN, 
rip=41.193.245.243, lip=172.16.64.253, mpid=1804, TLS, 
session=<hAkXaQjzKO0pwfXz>



More specifically I"m trying to match on the first line ending in 
"unknown user".


My general config for dovecot:

[dovecot]

enabled = true

port    = pop3,pop3s,imap,imaps,submission,465,sieve
#logpath = %(dovecot_log)s
logpath = /var/log/maillog
#backend = %(dovecot_backend)s
backend = polling

Note I've also trieds the default backend of gamin.

Regex test:


fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/dovecot.conf 
--print-all-matched


Running tests
=============

Use   failregex filter file : dovecot, basedir: /etc/fail2ban
Use         log file : /var/log/maillog
Use         encoding : UTF-8


Results
=======

Failregex: 1 total
|-  #) [# of hits] regular expression

|   2) [1] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] 
)?(?:@vserver_\S+ 
)?(?:(?:\[\d+\])?:\s+[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?|[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?(?
:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*(pop3|imap)-login: (Info: 
)?(Aborted login|Disconnected)(: Inactivity)? \(((auth failed, \d+ 
attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ 
auth)\):( user=<\S*>,)?( method=\S+,)? ri
p=<HOST>(, lip=(\d{1,3}\.){3}\d{1,3})?(, TLS( handshaking(: 
SSL_accept\(\) failed: error:[\dA-F]+:SSL 
routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: 
Disconnected)?)?(, session=<\S+>)?\s*$

`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format

|  [170366] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: 
Year)?

`-

Lines: 170366 lines, 0 ignored, 1 matched, 170365 missed
[processed in 54.97 sec]

|- Matched line(s):

|  Jan 23 09:53:21 xxx dovecot: pop3-login: Disconnected: Inactivity 
(auth failed, 1 attempts in 0 secs): user=<r...@surgcare.co.za 
<mailto:r...@surgcare.co.za>>, rip=45.82.65.138, lip=172.16.64.253, 
session=<bA23punyMLMtUkGK>

`-

Missed line(s): too many to print.  Use --print-all-missed to print all 
170365 lines


So not matching on any of my regex's. I've tried regextester with:

passwd\(\S+,,\S+\): unknown user\s*$


And that matches (I removed the IP as fail2ban with substitute with 
<HOST>) on the following log:



Jan 24 22:32:11 xxx dovecot: auth-worker(1755): conn unix:auth-worker 
(pid=1754,uid=94): auth-worker<35>: *passwd(aaronn,,<hAkXaQjzKO0pwfXz>): 
unknown user*



But the same regex (my 2nd last entry) in fail2ban doesn't work. Not 
sure where to go from here. Any help is appreciated.



--
Robby


_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users


--

"After sleeping through a hundred million centuries we have finally 
opened our eyes on a sumptuous planet, sparkling with color, bountiful 
with life. Within decades we must close our eyes again. Isn't it a 
noble, an enlightened way of spending our brief time in the sun, to work 
at understanding the universe and how we have come to wake up in it?"

[- Professor Richard Dawkins]


_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users






















					Reply via email to