pathiaki2 via freebsd-questions
2016-07-23 21:06:53 UTC
Hi,
I'm extending fail2ban to catch things on FreeBSD.
Right now I'm looking at dovecot.
This is the standard file.
# Fail2Ban filter Dovecot authentication and pop3/imap server
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = (auth|dovecot(-auth)?|auth-worker)
failregex =
^%(__prefix_line)s(%(__pam_auth)s(\(dovecot:auth\))?:)?\s+authentication
failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S*
rhost=<HOST>(\s+user=\S*)?\s*$
^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted
login|Disconnected)(: Inactivity)? \(((auth failed, \d+ attempts)( in
\d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):(
user=<\S*>,)?( method=\S+,)? rip=<HOST>(, lip=(\d{1,3}\.){3}\d{1,3})?(,
TLS( handshaking(: SSL_accept\(\) failed: error:[\dA-F]+:SSL
routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(:
Disconnected)?)?(, session=<\S+>)?\s*$
^%(__prefix_line)s(Info|dovecot:
auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\):
pam_authenticate\(\) failed: (User not known to the underlying
authentication module: \d+ Time\(s\)|Authentication failure \(password
mismatch\?\))\s*$
^%(__prefix_line)s(auth|auth-worker\(\d+\)):
(pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$
^%(__prefix_line)s(auth|auth-worker\(\d+\)): Info:
ldap\(\S*,<HOST>,\S*\): invalid credentials\s*$
ignoreregex =
[Init]
journalmatch = _SYSTEMD_UNIT=dovecot.service
I have a line I want to match. However, every python interpreter that I
hit says this works.... However, fail2ban doesn't catch the line.
The line:
Jul 23 00:02:48 <machine FQDN> dovecot: auth:
ldap(valeria,91.200.12.148): unknown user (SHA1 of given password:
e557ee1b78fd6978af5ea1f614597f79dc13c40e)
I'm trying this:
^%(__prefix_line)s(: auth: ldap\(\S+,<HOST>\):) unknown user\s*$
What am I missing? There's no error with the interpreter, it's just not
matching the line.
I'm extending fail2ban to catch things on FreeBSD.
Right now I'm looking at dovecot.
This is the standard file.
# Fail2Ban filter Dovecot authentication and pop3/imap server
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = (auth|dovecot(-auth)?|auth-worker)
failregex =
^%(__prefix_line)s(%(__pam_auth)s(\(dovecot:auth\))?:)?\s+authentication
failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S*
rhost=<HOST>(\s+user=\S*)?\s*$
^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted
login|Disconnected)(: Inactivity)? \(((auth failed, \d+ attempts)( in
\d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):(
user=<\S*>,)?( method=\S+,)? rip=<HOST>(, lip=(\d{1,3}\.){3}\d{1,3})?(,
TLS( handshaking(: SSL_accept\(\) failed: error:[\dA-F]+:SSL
routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(:
Disconnected)?)?(, session=<\S+>)?\s*$
^%(__prefix_line)s(Info|dovecot:
auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\):
pam_authenticate\(\) failed: (User not known to the underlying
authentication module: \d+ Time\(s\)|Authentication failure \(password
mismatch\?\))\s*$
^%(__prefix_line)s(auth|auth-worker\(\d+\)):
(pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$
^%(__prefix_line)s(auth|auth-worker\(\d+\)): Info:
ldap\(\S*,<HOST>,\S*\): invalid credentials\s*$
ignoreregex =
[Init]
journalmatch = _SYSTEMD_UNIT=dovecot.service
I have a line I want to match. However, every python interpreter that I
hit says this works.... However, fail2ban doesn't catch the line.
The line:
Jul 23 00:02:48 <machine FQDN> dovecot: auth:
ldap(valeria,91.200.12.148): unknown user (SHA1 of given password:
e557ee1b78fd6978af5ea1f614597f79dc13c40e)
I'm trying this:
^%(__prefix_line)s(: auth: ldap\(\S+,<HOST>\):) unknown user\s*$
What am I missing? There's no error with the interpreter, it's just not
matching the line.