I have concoted something that seems to work. And for the archives, this
is it:
failregex = auth: Info: ldap\(.+,<HOST>,.+\): invalid credentials \(given
password: .+ssword\)
auth: Info: ldap\(.+,<HOST>,.+\): invalid credentials \(given
password: 1qaz2wsx\)
auth: Info: ldap\(.+,<HOST>,.+\): invalid credentials \(given
password: 123321\)
auth: Info: ldap\(.+,<HOST>,.+\): invalid credentials \(given
password: 1234567890\)
auth: Info: ldap\(.+,<HOST>,.+\): invalid credentials \(given
password: 1q2w3e4r.+\)
It's still reactive, and not pro-active.
All the other suggestions are very much appreciated, including
weakforced, however implementing that is a much larger project.
Next I have to find out how to feed my fail2ban logs back to
blocklist.de, to improve their mail.txt hit rate.
Thanks again for all kind assistance.
MJ
On 07/20/2017 11:16 AM, mj wrote:
Hi all,
If I may, one more question on this subject:
I would like to create a fail2ban filer, that scans for these lines:
Jul 20 11:10:09 auth: Info:
ldap(user1,60.166.35.162,<cDFXHbxUQgA8piOi>): invalid credentials
(given password: password)
Jul 20 11:10:19 auth: Info: ldap(user2,61.53.66.4,<V+nyHbxU+wA9NUIE>):
invalid credentials (given password: password)
(as you can see, I have enabled auth_verbose_passwords to do this,
making me very uncomfortable...)
Anyway: since there are only a few password variations, I would like to
block anyone using those passwords.
(since the connections are over TLS/SSL, I cannot use iptables, as
suggested earlier)
So I need a specific fail2ban rule that extracts the <IP> from that
line, and matches on "(given password: password)"
Can anyone here help out with a failregex line that would match..?
