Package: fail2ban
Version: 0.8.13-1
(Same as bug #507990 which results fixed, but seems it's not :) )
When using postfix with dovecot as the SASL authenticator, fail2ban
fails to detect auth errors as this one:
----BEGINS----
Jan 25 22:25:05 xxxx postfix/submission/smtpd[17942]: warning:
unknown[198.50.137.148]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jan 25 22:25:23 xxxx postfix/submission/smtpd[17942]: warning:
unknown[198.50.137.148]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jan 25 22:25:43 xxxx postfix/submission/smtpd[17942]: warning:
unknown[198.50.137.148]: SASL LOGIN authentication failed: Connection
lost to authentication server
----END-----
the current regex does not match :
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL
(?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [
A-Za-z0-9+/]*={0,2})?\s*$
this one ( as suggested by Udo Rader <[email protected]> in
relation to bug#507990) does:
: warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5)
authentication failed: \w+
Linux 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt20-1+deb8u1 (2015-12-14)
x86_64 GNU/Linux
Libc6: Version: 2.19-18+deb8u1
--
*David Galligani *