For dovecot 2.1
as per wiki2, is this still valid? noticed a problem before and saw it does seem to be triggering, I use:
maxretry = 6 findtime = 600 bantime = 3600
and there was like, 2400 hits in 4 minutes, it is pointing to the correct log file, but I am no expert with fail2ban, so not sure if the log format of today is compatible with the wiki2 entry
filter.d/dovecot.conf [Definition] failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.* ignoreregex =
On 04/10/2013 1:47 AM, Nick Edwards wrote:
For dovecot 2.1
as per wiki2, is this still valid? noticed a problem before and saw it does seem to be triggering, I use:
maxretry = 6 findtime = 600 bantime = 3600
and there was like, 2400 hits in 4 minutes, it is pointing to the correct log file, but I am no expert with fail2ban, so not sure if the log format of today is compatible with the wiki2 entry
Test the filter with fail2ban-regex.
fail2ban-regex --help
Hi,
On 10/04/2013 07:47 AM, Nick Edwards wrote:
For dovecot 2.1
as per wiki2, is this still valid? noticed a problem before and saw it does seem to be triggering, I use:
maxretry = 6 findtime = 600 bantime = 3600
and there was like, 2400 hits in 4 minutes, it is pointing to the correct log file, but I am no expert with fail2ban, so not sure if the log format of today is compatible with the wiki2 entry
filter.d/dovecot.conf [Definition] failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.* ignoreregex =
this is no problem of dovecot. Nevertheless, for analysis, you can use fail2ban-regex when applying your filter to your logfile.
Best regards, Gordon
Universitätsrechenzentrum (URZ) E.-M.-Arndt-Universität Greifswald Felix-Hausdorff-Str. 12 17489 Greifswald Germany
Tel. +49 3834 86 1456 Fax. +49 3834 86 1401
On Fri, 2013-10-04 at 21:55 +0200, Gordon Grubert wrote:
this is no problem of dovecot. Nevertheless, for analysis, you can use fail2ban-regex when applying your filter to your logfile.
Kind of right, but the dovevcot wiki apparently contains wrong information, so I think its fair enough it be brought up on this list as per my previous, when someone comes up with simpler working example than what I suggested, Timo can fix it
On Fri, 2013-10-04 at 15:47 +1000, Nick Edwards wrote:
For dovecot 2.1
as per wiki2, is this still valid? noticed a problem before and saw it does seem to be triggering, I use:
looks out dated
filter.d/dovecot.conf
That'll never work, you need to change
[Definition] failregex = (?: pop3-login|imap-login): (?:Authentication to
failregex = (?: pop3-login|imap-login): .*(?:Authentication ^^
BUT, then, with the rest of your regex, it will only partly match because its looking for ", something" like " ,TLS" at the end which wont appear on failed imap/pop3 logins that dont use TLS, etc, so any failed attempts using TLs, will be found, if they are not using it, they will be missed (most miscreants likely wont be using it anyway)
I am NO python expert, in fact, I know less than less about python, so
you'll best need to wait for someone who knows the answer, or ask on
fail2ban list, on how you can change that to match both, by changing
the last bit to
\(auth failed).*rip=(?P<host>\S*)
in meantime, you could repeat your failregex, like
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure| Aborted login \(auth failed|Aborted login \(tried to use disabled| Disconnected \(auth failed).*rip=(?P<host>\S*),.* (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*)
I think thats horrible, messy, yukky, but it likely might work :) at least until you find a better answer, there are some fail2ban fanbois on this list, but as its the weekend, you may need to be patient.
Bingo!
Thanks, working now
On 10/5/13, Noel Butler noel.butler@ausics.net wrote:
On Fri, 2013-10-04 at 15:47 +1000, Nick Edwards wrote:
For dovecot 2.1
as per wiki2, is this still valid? noticed a problem before and saw it does seem to be triggering, I use:
looks out dated
filter.d/dovecot.conf
That'll never work, you need to change
[Definition] failregex = (?: pop3-login|imap-login): (?:Authentication to
failregex = (?: pop3-login|imap-login): .*(?:Authentication ^^
BUT, then, with the rest of your regex, it will only partly match because its looking for ", something" like " ,TLS" at the end which wont appear on failed imap/pop3 logins that dont use TLS, etc, so any failed attempts using TLs, will be found, if they are not using it, they will be missed (most miscreants likely wont be using it anyway)
I am NO python expert, in fact, I know less than less about python, so you'll best need to wait for someone who knows the answer, or ask on fail2ban list, on how you can change that to match both, by changing the last bit to \(auth failed).*rip=(?P<host>\S*)
in meantime, you could repeat your failregex, like
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure| Aborted login \(auth failed|Aborted login \(tried to use disabled| Disconnected \(auth failed).*rip=(?P<host>\S*),.* (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*)
I think thats horrible, messy, yukky, but it likely might work :) at least until you find a better answer, there are some fail2ban fanbois on this list, but as its the weekend, you may need to be patient.
On 04/10/2013 1:47 AM, Nick Edwards wrote:
filter.d/dovecot.conf [Definition] failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.* ignoreregex =
The following is included with fail2ban 0.8.10
filters.d/dovecot.conf
# Fail2Ban configuration file for dovcot # # Author: Martin Waschbuesch # #
[Definition]
# Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # failregex = .*(?:pop3-login|imap-login):.*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*\s+rip=(?P<host>\S*),.* pam.*dovecot.*(?:authentication failure).*\s+rhost=<HOST>(?:\s+user=.*)?\s*$
# Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =
Thanks I have already fixed this as with my reply to Noel, his suggestion works and, as with like your example which is same as Noels first, and as he correctly it seems mentions with my tests with fail2ban-regex, it only sees TLS, the deadbeats trying to brute force me, never seem to use that, so it requires what Noel suggested, a repeat without the end ,.* as well, and our OS not using pam, so wouldnt need that
thanks anyway
On 10/5/13, Oscar del Rio delrio@mie.utoronto.ca wrote:
On 04/10/2013 1:47 AM, Nick Edwards wrote:
filter.d/dovecot.conf [Definition] failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.* ignoreregex =
The following is included with fail2ban 0.8.10
filters.d/dovecot.conf
# Fail2Ban configuration file for dovcot # # Author: Martin Waschbuesch # #
[Definition]
# Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # failregex = .*(?:pop3-login|imap-login):.*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*\s+rip=(?P<host>\S*),.* pam.*dovecot.*(?:authentication failure).*\s+rhost=<HOST>(?:\s+user=.*)?\s*$
# Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =
participants (4)
-
Gordon Grubert
-
Nick Edwards
-
Noel Butler
-
Oscar del Rio