I have version 0.11.2-1.el8 installed under Rocky Linux 8.7. Other jails
are working correctly, but I've found that the dovecot one isn't working
as expected. Troubleshooting with the below command results in a number
of matches for pop3-login and imap-login, but none for auto-worker,
which is where I'm having the problem:
[wright@localhost fail2ban] $ fail2ban-regex --print-all-matched
/var/log/dovecot.log /etc/fail2ban/filter.d/dovecot.conf
Running tests
=============
Use failregex filter file : dovecot, basedir: /etc/fail2ban
Use datepattern : {^LN-BEG}TAI64N
{^LN-BEG} : Default Detectors
Use log file : /var/log/dovecot.log
Use encoding : UTF-8
Results
=======
Prefregex: 45677 total
| ^(?:\[\])?\s*(?:<[^.]+\.[^.]+>\s+)?(?:\S+\s+)?(?:kernel:\s?\[
*\d+\.\d+\]:?\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?(?:dovecot(?:-auth)?|auth)(?:\(\S+\))?[\]\)]?:?|[\[\(]?(?:dovecot(?:-auth)?|auth)(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID
\d+ \S+\]\s+)?(?:(?:dovecot: )?auth(?:-worker)?(?:\([^\)]+\))?:
)?(?:pam_unix(?:\(dovecot:auth\))?:
|(?:pop3|imap|managesieve|submission)-login: )?(?:Info: )?(?P<content>.+)$
`-
Failregex: 78 total
|- #) [# of hits] regular expression
| 2) [78] ^(?:Aborted login|Disconnected|Remote closed
connection|Client has quit the connection)(?::(?: [^ \(]+)+)? \((?:auth
failed, \d+ attempts(?: in \d+ secs)?|tried to use
(?:disabled|disallowed) \S+ auth|proxy dest auth failed)\):(?:
user=<<F-USER>[^>]*</F-USER>>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:,
session=<\S+>)?)\s*$
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [45677] {^LN-BEG}(?:DAY )?MON Day
%k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-
Lines: 45677 lines, 0 ignored, 78 matched, 45599 missed
[processed in 1.80 sec]
|- Matched line(s):
| Apr 23 04:02:34 pop3-login: Info: Disconnected: Aborted login by
logging out (auth failed, 1 attempts in 2 secs): user=<nologin>,
method=PLAIN, rip=36.138.74.124, lip=192.168.1.20,
session=<JD2KJv35AJgkikp8>
| Apr 23 04:02:52 pop3-login: Info: Disconnected: Aborted login by
logging out (auth failed, 1 attempts in 10 secs): user=<support>,
method=PLAIN, rip=36.138.74.124, lip=192.168.1.20,
session=<u/kmJ/359Jwkikp8>
(etc)
In my dovecot log, I have a number of bad login attempts, such at these,
these are never caught, even when expanding my findtime to an
unreasonably large value:
Apr 23 09:15:32 auth-worker(53787): Info: conn unix:auth-worker
(pid=53786,uid=97): auth-worker<2>: sql(support,103.147.64.52): unknown user
Apr 23 09:15:48 auth-worker(53787): Info: conn unix:auth-worker
(pid=53786,uid=97): auth-worker<3>: sql(support,49.91.243.74): unknown user
Looking at the dovecot.conf file in filter.d, I 'think' the issue is
with the prefregex not matching for 'auth-worker', but I'm not sure how
to correct this. My few attempts have failed, and regex has always made
my brain hurt.
prefregex = ^%(__prefix_line)s(?:%(_auth_:worker)s(?:\([^\)]+\))?:
)?(?:%(__pam_auth)s(?:\(dovecot:auth\))?:
|(?:pop3|imap|managesieve|submission)-login: )?(?:Info:
)?<F-CONTENT>.+</F-CONTENT>$
Any assistance would be appreciated.
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
