Re: feature request: log connections

[Mark Felder]

On Tue, 04 Sep 2012 13:23:39 -0500, Arnt Gulbrandsen  
<a...@gulbrandsen.priv.no> wrote:

Show me what you would like to see?
Arnt


Dovecot's logs are nice: (I've sanitized the users)


mailbox# tail -f maillog | grep -i imap
Sep  6 06:54:51 mailbox dovecot: auth(default): client in: AUTH 193571   
PLAIN   service=imap    lip=66.170.1.9  rip=70.194.65.165        
lport=143       rport=20980      
resp=AGxsbkBlbWFpbC5zdXByYW5ldC5uZXQAbGxuNjM5
Sep  6 06:54:51 mailbox dovecot: imap-login: Login:  
user=<u...@domain.com>, method=PLAIN, rip=70.194.65.165, lip=66.170.1.9
Sep  6 06:54:52 mailbox dovecot: IMAP(tjs): Disconnected in IDLE  
bytes=665/7018
Sep  6 06:54:52 mailbox dovecot: IMAP(tjs): Disconnected in IDLE  
bytes=1054/33005
Sep  6 06:54:56 mailbox dovecot: auth(default): client in: AUTH 310560   
PLAIN   service=imap    secured lip=66.170.1.9  rip=74.82.81.206         
lport=993       rport=34262     resp=AGJnb3Jkb24AYWNpYWNp
Sep  6 06:54:56 mailbox dovecot: imap-login: Login:  
user=<anotherusern...@foo.com>, method=PLAIN, rip=74.82.81.206,  
lip=66.170.1.9, TLS
Sep  6 06:54:57 mailbox dovecot: auth(default): client in: AUTH 310561   
PLAIN   service=imap    secured lip=66.170.1.9  rip=166.147.101.142      
lport=993       rport=43225      
resp=AGNlbnplbnJvdGhAZ2FsbGluYWNvcy5jb20AY29udDg1MDA=
Sep  6 06:54:57 mailbox dovecot: imap-login: Login:  
user=<bil...@microsoft.com>, method=PLAIN, rip=166.147.101.142,  
lip=66.170.1.9, TLS
Sep  6 06:54:57 mailbox dovecot: auth(default): client in: AUTH 193572   
PLAIN   service=imap    secured lip=66.170.1.9  rip=166.147.101.142      
lport=993       rport=49409      
resp=AGNlbnplbnJvdGhAZ2FsbGluYWNvcy5jb20AY29udDg1MDA=
Sep  6 06:54:57 mailbox dovecot: imap-login: Login:  
user=<bil...@microsoft.com>, method=PLAIN, rip=166.147.101.142,  
lip=66.170.1.9, TLS
Sep  6 06:54:58 mailbox dovecot: IMAP(anotherusern...@foo.com):  
Disconnected: Logged out bytes=111/58110
Sep  6 06:55:01 mailbox dovecot: imap-login: Aborted login (no auth  
attempts): rip=2607:f4e0:100:111::18, lip=2607:f4e0:100:111::9
Sep  6 06:55:01 mailbox dovecot: IMAP(st...@apple.com): Disconnected:  
Logged out bytes=2761/135354
Sep  6 06:55:01 mailbox dovecot: IMAP(st...@apple.com): Disconnected:  
Logged out bytes=63/1098

and when there are auth errors:

Sep  6 06:47:27 mailbox dovecot: imap-login: Aborted login (auth failed, 1  
attempts): user=<barbara.b...@whitehouse.gov>, method=PLAIN,  
rip=166.147.102.24, lip=66.170.1.9, TLS

fail2ban's dovecot regex looks like this:

failregex = .*(?:pop3-login|imap-login):.*(?:Authentication  
failure|Aborted login \(auth failed|Aborted login \(tried to use  
disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*