Yip that's gone and done it! Thank you Nick.
The question is why? All the other regex's should be good too ...
Anyway, no looking gift horses in the mouth. Who are we to question? : )
Thanks once again,
Regards, Robby
On Wed, 25 Jan 2023 at 14:29, Nick Howitt via Fail2ban-users
<fail2ban-users@lists.sourceforge.net> wrote:
On 25/01/2023 11:05, Robby Pedrica wrote:
> Hi all,
>
> I'd appreciate some help with a regex on dovecot that I can't
seem to
> get right. Config is ...
>
> patform: slackware 15 64bit
> fail2ban: v0.9.4
>
> dovecot.conf:
>
> [INCLUDES]
>
> before = common.conf
>
> [Definition]
>
> _daemon = (auth|dovecot(-auth)?|auth-worker)
>
> failregex =
>
^%(__prefix_line)s(%(__pam_auth)s(\(dovecot:auth\))?:)?\s+authentication
> failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S*
> rhost=<HOST>(\s+user=\S*)?\s*$
> ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted
> login|Disconnected)(: Inactivity)? \(((auth failed, \d+
attempts)( in
> \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):(
> user=<\S*>,)?( method=\S+,)? rip=<HOST>
> ^%(__prefix_line)s(Info|dovecot:
> auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\):
> pam_authenticate\(\) failed: (User not known to the underlying
> authentication module: \d+ Time\(s\)|Authentication failure
\(password m
> ^%(__prefix_line)s(auth|auth-worker\(\d+\)):
> (pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$
> # ^%(__prefix_line)s(auth|auth-worker\(\d+\)):
> (pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$
> ^conn unix:auth-worker \([^)]*\): auth-worker<\d+>:
> passwd\(\S+,<HOST>\): unknown user\b
> ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)):
> passwd\(\S+,<HOST>\): unknown user\s*$
> ^%(__prefix_line)s(auth-worker\(\d+\)):
> passwd\(\S+,<HOST>,\S+\): unknown user\b
> ^%(__prefix_line)s passwd\(\S+,<HOST>,\S+\): unknown
user\s*$
> ^%(__prefix_line)spasswd\(.*\,<HOST>\)\: (unknown
user|Password
> mismatch)\s$
>
> ignoreregex =
>
> [Init]
>
> # journalmatch = _SYSTEMD_UNIT=dovecot.service
>
> Per above, I've tried a number of variations on the regex (the
last 5
> regex's) but no matches. The matched entry should be found in
the log:
>
> Jan 24 22:32:11 xxx dovecot: auth-worker(1755): conn
unix:auth-worker
> (pid=1754,uid=94): auth-worker<35>:
> passwd(aaronn,41.193.245.243,<hAkXaQjzKO0pwfXz>): unknown user
> Jan 24 22:32:11 xxx dovecot: auth: Error:
> passwd(aaronn,41.193.245.243,<hAkXaQjzKO0pwfXz>): user not found
from userdb
> Jan 24 22:32:11 xxx dovecot: imap(1804): Error: auth-master: login:
> request [1420820481]: Login auth request failed: Authenticated
user not
> found from userdb, auth lookup id=1420820481 (auth connected 0
msecs
> ago, request took 0 msecs, client-pid=1802 client-id=1)
> Jan 24 22:32:11 xxx dovecot: imap-login: Disconnected: Internal
login
> failure (pid=1802 id=1): user=<aaronn>, method=PLAIN,
> rip=41.193.245.243, lip=172.16.64.253, mpid=1804, TLS,
> session=<hAkXaQjzKO0pwfXz>
>
> More specifically I"m trying to match on the first line ending in
> "unknown user".
>
> My general config for dovecot:
>
> [dovecot]
>
> enabled = true
>
> port = pop3,pop3s,imap,imaps,submission,465,sieve
> #logpath = %(dovecot_log)s
> logpath = /var/log/maillog
> #backend = %(dovecot_backend)s
> backend = polling
>
> Note I've also trieds the default backend of gamin.
>
> Regex test:
>
> fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/dovecot.conf
> --print-all-matched
>
> Running tests
> =============
>
> Use failregex filter file : dovecot, basedir: /etc/fail2ban
> Use log file : /var/log/maillog
> Use encoding : UTF-8
>
>
> Results
> =======
>
> Failregex: 1 total
> |- #) [# of hits] regular expression
> | 2) [1] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[
*\d+\.\d+\]
> )?(?:@vserver_\S+
>
)?(?:(?:\[\d+\])?:\s+[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?|[\[\(]?(auth|dovecot(-auth)?|auth-worker)(?:\(\S+\))?[\]\)]?:?(?
> :\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*(pop3|imap)-login: (Info:
> )?(Aborted login|Disconnected)(: Inactivity)? \(((auth failed, \d+
> attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+
> auth)\):( user=<\S*>,)?( method=\S+,)? ri
> p=<HOST>(, lip=(\d{1,3}\.){3}\d{1,3})?(, TLS( handshaking(:
> SSL_accept\(\) failed: error:[\dA-F]+:SSL
> routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(:
> Disconnected)?)?(, session=<\S+>)?\s*$
> `-
>
> Ignoreregex: 0 total
>
> Date template hits:
> |- [# of hits] date format
> | [170366] (?:DAY )?MON Day
24hour:Minute:Second(?:\.Microseconds)?(?:
> Year)?
> `-
>
> Lines: 170366 lines, 0 ignored, 1 matched, 170365 missed
> [processed in 54.97 sec]
>
> |- Matched line(s):
> | Jan 23 09:53:21 xxx dovecot: pop3-login: Disconnected:
Inactivity
> (auth failed, 1 attempts in 0 secs): user=<r...@surgcare.co.za
> <mailto:r...@surgcare.co.za>>, rip=45.82.65.138, lip=172.16.64.253,
> session=<bA23punyMLMtUkGK>
> `-
> Missed line(s): too many to print. Use --print-all-missed to
print all
> 170365 lines
>
> So not matching on any of my regex's. I've tried regextester with:
>
> passwd\(\S+,,\S+\): unknown user\s*$
>
> And that matches (I removed the IP as fail2ban with substitute with
> <HOST>) on the following log:
>
> Jan 24 22:32:11 xxx dovecot: auth-worker(1755): conn
unix:auth-worker
> (pid=1754,uid=94): auth-worker<35>:
*passwd(aaronn,,<hAkXaQjzKO0pwfXz>):
> unknown user*
>
> But the same regex (my 2nd last entry) in fail2ban doesn't work.
Not
> sure where to go from here. Any help is appreciated.
>
>
> --
> Robby
Totally untested, but in the same style as the other filters:
^%(__prefix_line)s.*,<HOST>,.*: unknown user\s*$
This is a very lazy version and you can build it up from there if you
want a more precise match. Note I have no idea why all the filters
end
"\s*$". It just allows for any number of spaces at the end of the
line.
From your test line you can leave out the "\s*" as there aren't any
spaces and the "$" is also unnecessary.
Nick
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
--
Robby Pedrica
XStore
c: +27 82 416 8696
f: +27 86 538 5810
m: rpedr...@xstore.co.za
w: http://wwww.xstore.co.za/
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
