Fail2ban 'Password mismatch' regex

James Brown jlbrown at bordo.com.au
Mon Sep 11 10:23:48 EEST 2017 


> On 11 Sep 2017, at 5:10 pm, Christian Kivalo <ml+dovecot at valo.at> wrote:
> 
> On 2017-09-11 08:57, James Brown wrote:
>> I have turned on 'auth_debug_passwords=yes’ in dovecot.conf.
>> I’m trying to get Fail2ban to detect this log line:
>> Sep 11 15:52:49 mail dovecot[54239]: auth-worker(10094): sql(user at bordo.com.au <mailto:user at bordo.com.au>,::1,<L2xqieNYeM4AAAAAAAAAAAAAAAAAAAAB>): Password mismatch (given password: 2)
>> I’ve added it as the last line of my dovecot filter regex:
>> failregex =
>> ^%(__prefix_line)s(%(__pam_auth)s(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$
>>            ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallo$
>>            ^%(__prefix_line)s(Info|dovecot: auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication$
>>            ^%(__prefix_line)s(auth|auth-worker\(\d+\)): (pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$
>>            ^%(__prefix_line)s(auth|auth-worker\(\d+\)): Info: ldap\(\S*,<HOST>,\S*\): invalid credentials\s*$
>>            ^%(__prefix_line)sauth: Info: sql\(\S+,<HOST>\): (Password mismatch|unknown user)( \((SHA1 of given password: [0-9a-f]{5,40}|given password: \w*)\))?$
>              ^%(__prefix_line)sauth: Info: sql\(\S+,<HOST>,\<\S+\>\): (Password mismatch|unknown user)( \((SHA1 of given password: [0-9a-f]{5,40}|given password: \w*)\))?$
>                                                            ^^^^^^^
> You are missing the ID after the host part.
> -- 
> Christian Kivalo
> 
Many thanks Christian.

Added that, but it still doesn’t match:

$ fail2ban-regex "Sep 11 15:52:49 mail dovecot[54239]: auth-worker(10094): sql(user at bordo.com.au,::1,<L2xqieNYeM4AAAAAAAAAAAAAAAAAAAAB>): Password mismatch (given password: 2)" "^%(__prefix_line)sauth: Info: sql\(\S+,<HOST>,\<\S+\>\): (Password mismatch|unknown user)( \((SHA1 of given password: [0-9a-f]{5,40}|given password: \w*)\))?$"

Running tests
=============

Use   failregex line : ^%(__prefix_line)sauth: Info: sql\(\S+,<HOST>,\<\S...
Use      single line : Sep 11 15:52:49 mail dovecot[54239]: auth-worker(1...


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [1] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
`-

Lines: 1 lines, 0 ignored, 0 matched, 1 missed
[processed in 0.00 sec]

|- Missed line(s):
|  Sep 11 15:52:49 mail dovecot[54239]: auth-worker(10094): sql(user at bordo.com.au,::1,<L2xqieNYeM4AAAAAAAAAAAAAAAAAAAAB>): Password mismatch (given password: 2)
`-

Any other suggestions?

Thanks,

James.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 8517 bytes
Desc: not available
URL: <https://dovecot.org/pipermail/dovecot/attachments/20170911/95763f45/attachment.bin>

More information about the dovecot mailing list