On Thu, 2021-10-21 at 11:38 -0400, Krzysztof Adamski wrote:
> On Mon, 2021-10-18 at 10:20 -0700, James Moe via Fail2ban-users
> wrote:
> > On 2021-10-18 07:39, Krzysztof Adamski wrote:
> >
> > > > Oct 17 16:33:34 mailserver dovecot: auth-worker(41189): conn
> > > > unix:auth-
> > > > worker (pid=41188,uid=108): auth-worker<119>:
> > > > sql(orders,219.145.118.23,<tABXVZLOhpnbkXYX>): unknown user
> > > > (given
> > > > password: qwer1234)
> > > >
> > > >
> > >
> > > I was wrong, the auth-worker failures are not being used in the
> > > ban. Is
> > > there anything I can change to enable the ban on this?
> >
> > failregex = ^.*auth\-worker\(.*sql\(.*,<HOST>,.*\)\: unknown user
> > .*
>
> Thank you for this, it matches when used on egrep (without <HOST)>)
> with the mail.log file, but not when added to the failregex in
> dovecot
> jail.
>
> I'm suspecting that the prefregex needs to be tweaked to now include
> this new log line.
>
> The prefregex on my system is:
> prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?:
> )?(?:%(__pam_auth)s(?:\(dovecot:auth\))?: |(?:pop3|imap|mana
> gesieve|submission)-login: )?(?:Info: )?<F-CONTENT>.+</F-CONTENT>$
>
>
> and for completeness my failregex is:
>
> failregex = ^authentication failure; logname=<F-ALT_USER1>\S*</F-
> ALT_USER1> uid=\S* euid=\S* tty=dovecot ruser=<F-USER>\S*</F-
> USER> rhost=<HOST>(?:\s+user=<F-ALT_USER>\S*</F-ALT_USER>)?\s*$
>
> ^.*auth\-worker\(.*sql\(.*,<HOST>,.*\)\: unknown user .*
>
> ^(?:Aborted login|Disconnected|Remote closed
> connection|Client has quit the connection)(?::(?: [^ \(]+)+)? \((?:au
> th failed, \d+ attempts(?: in \d+ secs)?|tried to use
> (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\):(?:
> user=<<F-
> USER>[^>]*</F-USER>>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:,
> session=<\S+>)?)\s*$
>
> ^pam\(\S+,<HOST>(?:,\S*)?\): pam_authenticate\(\) failed:
> (?:User not known to the underlying authentication modul
> e: \d+ Time\(s\)|Authentication failure \(password
> mismatch\?\)|Permission denied)\s*$
>
> ^[a-z\-]{3,15}\(\S*,<HOST>(?:,\S*)?\): (?:unknown
> user|invalid credentials|Password mismatch)
>
> <mdre-<mode>>
>
>
> K
>
So I have discovered 'fail2ban-regex' :-), and now I started playing
with the regular expression.
Even tho the expression provided by James matches when using website
for testing regex, it would not match in the fail2ban.
I modified the expression to:
^.*auth\-worker \(.*sql\(.*,<HOST>,.*\)\: unknown user.*
and that matches in fail2ban. What I think is the difference is that
this expression matches on the second 'auth-worker' as opposed to
James' expression matches on the first 'auth-worker'.
Could somebody explain why that is.
Thanks,
K
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
