Yip that's gone and done it! Thank you Nick.
The question is why? All the other regex's should be good too ...
Anyway, no looking gift horses in the mouth. Who are we to question? : )
Thanks once again,
Regards, Robby
On Wed, 25 Jan 2023 at 14:29, Nick Howitt via Fail2ban-users <
fail2ban-users@lists.sourceforge.net> wrote:
> On 25/01/2023 11:05, Robby Pedrica wrote:
> > Hi all,
> >
> > I'd appreciate some help with a regex on dovecot that I can't seem to
> > get right. Config is ...
> >
> > patform: slackware 15 64bit
> > fail2ban: v0.9.4
> >
> > dovecot.conf:
> >
> > [INCLUDES]
> >
> > before = common.conf
> >
> > [Definition]
> >
> > _daemon = (auth|dovecot(-auth)?|auth-worker)
> >
> > failregex =
> > ^%(__prefix_line)s(%(__pam_auth)s(\(dovecot:auth\))?:)?\s+authentication
> > failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S*
> > rhost=<HOST>(\s+user=\S*)?\s*$
> > ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted
> > login|Disconnected)(: Inactivity)? \(((auth failed, \d+ attempts)( in
> > \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):(
> > user=<\S*>,)?( method=\S+,)? rip=<HOST>
> > ^%(__prefix_line)s(Info|dovecot:
> > auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\):
> > pam_authenticate\(\) failed: (User not known to the underlying
> > authentication module: \d+ Time\(s\)|Authentication failure \(password m
> > ^%(__prefix_line)s(auth|auth-worker\(\d+\)):
> > (pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$
> > # ^%(__prefix_line)s(auth|auth-worker\(\d+\)):
> > (pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$
> > ^conn unix:auth-worker \([^)]*\): auth-worker<\d+>:
> > passwd\(\S+,<HOST>\): unknown user\b
> > ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)):
> > passwd\(\S+,<HOST>\): unknown user\s*$
> > ^%(__prefix_line)s(auth-worker\(\d+\)):
> > passwd\(\S+,<HOST>,\S+\): unknown user\b
> > ^%(__prefix_line)s passwd\(\S+,<HOST>,\S+\): unknown user\s*$
> > ^%(__prefix_line)spasswd\(.*\,<HOST>\)\: (unknown user|Password
> > mismatch)\s$
> >
> > ignoreregex =
> >
> > [Init]
> >
> > # journalmatch = _SYSTEMD_UNIT=dovecot.service
> >
> > Per above, I've tried a number of variations on the regex (the last 5
> > regex's) but no matches. The matched entry should be found in the log:
> >
> > Jan 24 22:32:11 xxx dovecot: auth-worker(1755): conn unix:auth-worker
> > (pid=1754,uid=94): auth-worker<35>:
> > passwd(aaronn,41.193.245.243,<hAkXaQjzKO0pwfXz>): unknown user
> > Jan 24 22:32:11 xxx dovecot: auth: Error:
> > passwd(aaronn,41.193.245.243,<hAkXaQjzKO0pwfXz>): user not found from
> userdb
> > Jan 24 22:32:11 xxx dovecot: imap(1804): Error: auth-master: login:
> > request [1420820481]: Login auth request failed: Authenticated user not
> > found from userdb, auth lookup id=1420820481 (auth connected 0 msecs
> > ago, request took 0 msecs, client-pid=1802 client-id=1)
> > Jan 24 22:32:11 xxx dovecot: imap-login: Disconnected: Internal login
> > failure (pid=1802 id=1): user=<aaronn>, method=PLAIN,
> > rip=41.193.245.243, lip=172.16.64.253, mpid=1804, TLS,
> > session=<hAkXaQjzKO0pwfXz>
> >
> > More specifically I"m trying to match on the first line ending in
> > "unknown user".
> >
> > My general config for dovecot:
> >
> > [dovecot]
> >
> > enabled = true
> >
> > port = pop3,pop3s,imap,imaps,submission,465,sieve
> > #logpath = %(dovecot_log)s
> > logpath = /var/log/maillog
> > #backend = %(dovecot_backend)s
> > backend = polling
> >
> > Note I've also trieds the default backend of gamin.
> >
> > Regex test:
> >
> > fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/dovecot.conf
> > --print-all-matched
> >
> > Running tests
> > =============
> >
> > Use failregex filter file : dovecot, basedir: /etc/fail2ban
> > Use log file : /var/log/maillog
> > Use encoding : UTF-8
> >
> >
> > Results
> > =======
> >
> > Failregex: 1 total
> > |- #) [# of hits] regular expression
> > | 2) [1] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\]
> > )?(?:@vserver_\S+
> >
> )?(?:(?:\[\d+\])?:\s+[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?|[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?(?
> > :\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*(pop3|imap)-login: (Info:
> > )?(Aborted login|Disconnected)(: Inactivity)? \(((auth failed, \d+
> > attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+
> > auth)\):( user=<\S*>,)?( method=\S+,)? ri
> > p=<HOST>(, lip=(\d{1,3}\.){3}\d{1,3})?(, TLS( handshaking(:
> > SSL_accept\(\) failed: error:[\dA-F]+:SSL
> > routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(:
> > Disconnected)?)?(, session=<\S+>)?\s*$
> > `-
> >
> > Ignoreregex: 0 total
> >
> > Date template hits:
> > |- [# of hits] date format
> > | [170366] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?:
> > Year)?
> > `-
> >
> > Lines: 170366 lines, 0 ignored, 1 matched, 170365 missed
> > [processed in 54.97 sec]
> >
> > |- Matched line(s):
> > | Jan 23 09:53:21 xxx dovecot: pop3-login: Disconnected: Inactivity
> > (auth failed, 1 attempts in 0 secs): user=<r...@surgcare.co.za
> > <mailto:r...@surgcare.co.za>>, rip=45.82.65.138, lip=172.16.64.253,
> > session=<bA23punyMLMtUkGK>
> > `-
> > Missed line(s): too many to print. Use --print-all-missed to print all
> > 170365 lines
> >
> > So not matching on any of my regex's. I've tried regextester with:
> >
> > passwd\(\S+,,\S+\): unknown user\s*$
> >
> > And that matches (I removed the IP as fail2ban with substitute with
> > <HOST>) on the following log:
> >
> > Jan 24 22:32:11 xxx dovecot: auth-worker(1755): conn unix:auth-worker
> > (pid=1754,uid=94): auth-worker<35>: *passwd(aaronn,,<hAkXaQjzKO0pwfXz>):
> > unknown user*
> >
> > But the same regex (my 2nd last entry) in fail2ban doesn't work. Not
> > sure where to go from here. Any help is appreciated.
> >
> >
> > --
> > Robby
>
> Totally untested, but in the same style as the other filters:
> ^%(__prefix_line)s.*,<HOST>,.*: unknown user\s*$
>
> This is a very lazy version and you can build it up from there if you
> want a more precise match. Note I have no idea why all the filters end
> "\s*$". It just allows for any number of spaces at the end of the line.
> From your test line you can leave out the "\s*" as there aren't any
> spaces and the "$" is also unnecessary.
>
> Nick
>
>
> _______________________________________________
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
--
Robby Pedrica
XStore
c: +27 82 416 8696
f: +27 86 538 5810
m: rpedr...@xstore.co.za
w: http://wwww.xstore.co.za/
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
