On 4/29/23 15:23, James Moe via Fail2ban-users wrote:
On 2023-04-29 08:15, Jim Wright wrote:
[wright@localhost fail2ban] $ fail2ban-regex --print-all-matched
/var/log/dovecot.log /etc/fail2ban/filter.d/dovecot.conf
Running tests
=============
<cut>
Results
=======
Prefregex: 45677 total
| ^(?:\[\])?\s*(?:<[^.]+\.[^.]+>\s+)?(?:\S+\s+)?(?:kernel:\s?\[
*\d+\.\d+\]:?\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?(?:dovecot(?:-auth)?|auth)(?:\(\S+\))?[\]\)]?:?|[\[\(]?(?:dovecot(?:-auth)?|auth)(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID
\d+ \S+\]\s+)?(?:(?:dovecot: )?auth(?:-worker)?(?:\([^\)]+\))?:
)?(?:pam_unix(?:\(dovecot:auth\))?:
|(?:pop3|imap|managesieve|submission)-login: )?(?:Info: )?(?P<content>.+)$
`-
Would you show us "dovecot.conf"? I do not see where there is a regex for
"unknown user."
Minor update, just after posting this I did a yum update and it pulled
down fail2ban version 1.0.2-3.el8, and the dovecot.conf file was
slightly different. Full txt of that file is as follows, the unknown
user match is in the failregex section. After running for a few hours,
I'm still not seeing any hits when I should have had at least one
match. All of my configs files are stock, except for jail.local.
Pasting the relevant section for that as well.
[dovecot]
enabled = true
port = pop3,pop3s,imap,imaps
filter = dovecot
logpath = /var/log/dovecot.log
maxretry = 3
findtime = 240h
bantime = 10m
bantime.factor = 1
--------------------------------------------
# Fail2Ban filter Dovecot authentication and pop3/imap server
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = (?:dovecot(?:-auth)?|auth)
_auth_worker = (?:dovecot: )?auth(?:-worker)?
_auth_worker_info = (?:conn \w+:auth(?:-worker)? \([^\)]+\):
auth(?:-worker)?<\d+>: )?
_bypass_reject_reason = (?:: (?:\w+\([^\):]*\) \w+|[^\(]+))*
prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?:
)?(?:%(__pam_auth)s(?:\(dovecot:auth\))?:
|(?:pop3|imap|managesieve|submission)-login: )?(?:Info:
)?%(_auth_worker_info)s<F-CONTENT>.+</F-CONTENT>$
failregex = ^authentication failure;
logname=<F-ALT_USER1>\S*</F-ALT_USER1> uid=\S* euid=\S* tty=dovecot
ruser=<F-USER>\S*</F-USER>
rhost=<HOST>(?:\s+user=<F-ALT_USER>\S*</F-ALT_USER>)?\s*$
^(?:Aborted login|Disconnected|Remote closed
connection|Client has quit the connection)%(_bypass_reject_reason)s
\((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use
(?:disabled|disallowed) \S+ auth|proxy dest auth failed)\):(?:
user=<<F-USER>[^>]*</F-USER>>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:,
session=<\S+>)?)\s*$
^pam\(\S+,<HOST>(?:,\S*)?\): pam_authenticate\(\) failed:
(?:User not known to the underlying authentication module: \d+
Time\(s\)|Authentication failure \([Pp]assword mismatch\?\)|Permission
denied)\s*$
^[a-z\-]{3,15}\(\S*,<HOST>(?:,\S*)?\): (?:[Uu]nknown
user|[Ii]nvalid credentials|[Pp]assword mismatch)
<mdre-<mode>>
mdre-aggressive = ^(?:Aborted login|Disconnected|Remote closed
connection|Client has quit the connection)%(_bypass_reject_reason)s
\((?:no auth attempts|disconnected before auth was ready,|client didn't
finish \S+ auth,)(?: (?:in|waited) \d+ secs)?\):(?: user=<[^>]*>,)?(?:
method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
mdre-normal =
# Parameter `mode` - `normal` or `aggressive`.
# Aggressive mode can be used to match log-entries like:
# 'no auth attempts', 'disconnected before auth was ready', 'client
didn't finish SASL auth'.
# Note it may produce lots of false positives on misconfigured MTAs.
# Ex.:
# filter = dovecot[mode=aggressive]
mode = normal
ignoreregex =
journalmatch = _SYSTEMD_UNIT=dovecot.service
datepattern = {^LN-BEG}TAI64N
{^LN-BEG}
# DEV Notes:
# * the first regex is essentially a copy of pam-generic.conf
# * Probably doesn't do dovecot sql/ldap backends properly (resolved in
edit 21/03/2016)
#
# Author: Martin Waschbuesch
# Daniel Black (rewrote with begin and end anchors)
# Martin O'Neal (added LDAP authentication failure regex)
# Sergey G. Brester aka sebres (reviewed, optimized,
IPv6-compatibility)
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
