Thanks Finn,
But dovecot is configure for logging to /var/log/maillog*
This is not a matter of fail2ban not finding the logs as a regex test
returns with a match, just not the one I want.
Regards and thanks
On Wed, 25 Jan 2023 at 14:39, fail2ban--- via Fail2ban-users <
fail2ban-users@lists.sourceforge.net> wrote:
> Hi Robby.
>
> I think You have to use the /var/log/dovecot.log file (change in Your
> jail.local or jail.conf)
>
> Hope it helps
>
> /Finn
> Den 25-01-2023 kl. 12:05 skrev Robby Pedrica:
> > Hi all,
> >
> > I'd appreciate some help with a regex on dovecot that I can't seem to
> > get right. Config is ...
> >
> > patform: slackware 15 64bit
> > fail2ban: v0.9.4
> >
> > dovecot.conf:
> >
> > [INCLUDES]
> >
> > before = common.conf
> >
> > [Definition]
> >
> > _daemon = (auth|dovecot(-auth)?|auth-worker)
> >
> > failregex =
> > ^%(__prefix_line)s(%(__pam_auth)s(\(dovecot:auth\))?:)?\s+authentication
> > failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S*
> > rhost=<HOST>(\s+user=\S*)?\s*$
> > ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted
> > login|Disconnected)(: Inactivity)? \(((auth failed, \d+ attempts)( in
> > \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):(
> > user=<\S*>,)?( method=\S+,)? rip=<HOST>
> > ^%(__prefix_line)s(Info|dovecot:
> > auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\):
> > pam_authenticate\(\) failed: (User not known to the underlying
> > authentication module: \d+ Time\(s\)|Authentication failure \(password m
> > ^%(__prefix_line)s(auth|auth-worker\(\d+\)):
> > (pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$
> > # ^%(__prefix_line)s(auth|auth-worker\(\d+\)):
> > (pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$
> > ^conn unix:auth-worker \([^)]*\): auth-worker<\d+>:
> > passwd\(\S+,<HOST>\): unknown user\b
> > ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)):
> > passwd\(\S+,<HOST>\): unknown user\s*$
> > ^%(__prefix_line)s(auth-worker\(\d+\)):
> > passwd\(\S+,<HOST>,\S+\): unknown user\b
> > ^%(__prefix_line)s passwd\(\S+,<HOST>,\S+\): unknown user\s*$
> > ^%(__prefix_line)spasswd\(.*\,<HOST>\)\: (unknown user|Password
> > mismatch)\s$
> >
> > ignoreregex =
> >
> > [Init]
> >
> > # journalmatch = _SYSTEMD_UNIT=dovecot.service
> >
> > Per above, I've tried a number of variations on the regex (the last 5
> > regex's) but no matches. The matched entry should be found in the log:
> >
> > Jan 24 22:32:11 xxx dovecot: auth-worker(1755): conn unix:auth-worker
> > (pid=1754,uid=94): auth-worker<35>:
> > passwd(aaronn,41.193.245.243,<hAkXaQjzKO0pwfXz>): unknown user
> > Jan 24 22:32:11 xxx dovecot: auth: Error:
> > passwd(aaronn,41.193.245.243,<hAkXaQjzKO0pwfXz>): user not found from
> userdb
> > Jan 24 22:32:11 xxx dovecot: imap(1804): Error: auth-master: login:
> > request [1420820481]: Login auth request failed: Authenticated user not
> > found from userdb, auth lookup id=1420820481 (auth connected 0 msecs
> > ago, request took 0 msecs, client-pid=1802 client-id=1)
> > Jan 24 22:32:11 xxx dovecot: imap-login: Disconnected: Internal login
> > failure (pid=1802 id=1): user=<aaronn>, method=PLAIN,
> > rip=41.193.245.243, lip=172.16.64.253, mpid=1804, TLS,
> > session=<hAkXaQjzKO0pwfXz>
> >
> > More specifically I"m trying to match on the first line ending in
> > "unknown user".
> >
> > My general config for dovecot:
> >
> > [dovecot]
> >
> > enabled = true
> >
> > port = pop3,pop3s,imap,imaps,submission,465,sieve
> > #logpath = %(dovecot_log)s
> > logpath = /var/log/maillog
> > #backend = %(dovecot_backend)s
> > backend = polling
> >
> > Note I've also trieds the default backend of gamin.
> >
> > Regex test:
> >
> > fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/dovecot.conf
> > --print-all-matched
> >
> > Running tests
> > =============
> >
> > Use failregex filter file : dovecot, basedir: /etc/fail2ban
> > Use log file : /var/log/maillog
> > Use encoding : UTF-8
> >
> >
> > Results
> > =======
> >
> > Failregex: 1 total
> > |- #) [# of hits] regular expression
> > | 2) [1] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\]
> > )?(?:@vserver_\S+
> >
> )?(?:(?:\[\d+\])?:\s+[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?|[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?(?
> > :\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*(pop3|imap)-login: (Info:
> > )?(Aborted login|Disconnected)(: Inactivity)? \(((auth failed, \d+
> > attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+
> > auth)\):( user=<\S*>,)?( method=\S+,)? ri
> > p=<HOST>(, lip=(\d{1,3}\.){3}\d{1,3})?(, TLS( handshaking(:
> > SSL_accept\(\) failed: error:[\dA-F]+:SSL
> > routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(:
> > Disconnected)?)?(, session=<\S+>)?\s*$
> > `-
> >
> > Ignoreregex: 0 total
> >
> > Date template hits:
> > |- [# of hits] date format
> > | [170366] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?:
> > Year)?
> > `-
> >
> > Lines: 170366 lines, 0 ignored, 1 matched, 170365 missed
> > [processed in 54.97 sec]
> >
> > |- Matched line(s):
> > | Jan 23 09:53:21 xxx dovecot: pop3-login: Disconnected: Inactivity
> > (auth failed, 1 attempts in 0 secs): user=<r...@surgcare.co.za
> > <mailto:r...@surgcare.co.za>>, rip=45.82.65.138, lip=172.16.64.253,
> > session=<bA23punyMLMtUkGK>
> > `-
> > Missed line(s): too many to print. Use --print-all-missed to print all
> > 170365 lines
> >
> > So not matching on any of my regex's. I've tried regextester with:
> >
> > passwd\(\S+,,\S+\): unknown user\s*$
> >
> > And that matches (I removed the IP as fail2ban with substitute with
> > <HOST>) on the following log:
> >
> > Jan 24 22:32:11 xxx dovecot: auth-worker(1755): conn unix:auth-worker
> > (pid=1754,uid=94): auth-worker<35>: *passwd(aaronn,,<hAkXaQjzKO0pwfXz>):
> > unknown user*
> >
> > But the same regex (my 2nd last entry) in fail2ban doesn't work. Not
> > sure where to go from here. Any help is appreciated.
> >
> >
> > --
> > Robby
> >
> >
> > _______________________________________________
> > Fail2ban-users mailing list
> > Fail2ban-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
> --
> "After sleeping through a hundred million centuries we have finally
> opened our eyes on a sumptuous planet, sparkling with color, bountiful
> with life. Within decades we must close our eyes again. Isn't it a
> noble, an enlightened way of spending our brief time in the sun, to work
> at understanding the universe and how we have come to wake up in it?"
> [- Professor Richard Dawkins]
>
>
> _______________________________________________
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
--
Robby Pedrica
XStore
c: +27 82 416 8696
f: +27 86 538 5810
m: rpedr...@xstore.co.za
w: http://wwww.xstore.co.za/
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
