Fail2ban 'Password mismatch' regex

James Brown jlbrown at bordo.com.au
Mon Sep 11 09:57:16 EEST 2017


I have turned on 'auth_debug_passwords=yes’ in dovecot.conf.

I’m trying to get Fail2ban to detect this log line:

Sep 11 15:52:49 mail dovecot[54239]: auth-worker(10094): sql(user at bordo.com.au <mailto:user at bordo.com.au>,::1,<L2xqieNYeM4AAAAAAAAAAAAAAAAAAAAB>): Password mismatch (given password: 2)

I’ve added it as the last line of my dovecot filter regex:

failregex = ^%(__prefix_line)s(%(__pam_auth)s(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$
            ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallo$
            ^%(__prefix_line)s(Info|dovecot: auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication$
            ^%(__prefix_line)s(auth|auth-worker\(\d+\)): (pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$
            ^%(__prefix_line)s(auth|auth-worker\(\d+\)): Info: ldap\(\S*,<HOST>,\S*\): invalid credentials\s*$
            ^%(__prefix_line)sauth: Info: sql\(\S+,<HOST>\): (Password mismatch|unknown user)( \((SHA1 of given password: [0-9a-f]{5,40}|given password: \w*)\))?$

Have spent ages googling and trying different variations.

Does anyone have a fail2ban regex that would work on the above Dovecot log line?

(Running latest versions of Dovecot and fail2ban)

Many thanks,

James.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 8517 bytes
Desc: not available
URL: <https://dovecot.org/pipermail/dovecot/attachments/20170911/02873db5/attachment.bin>


More information about the dovecot mailing list