Fail2ban 'Password mismatch' regex
I have turned on 'auth_debug_passwords=yes’ in dovecot.conf.
I’m trying to get Fail2ban to detect this log line:
Sep 11 15:52:49 mail dovecot[54239]: auth-worker(10094): sql(user@bordo.com.au <mailto:user@bordo.com.au>,::1,<L2xqieNYeM4AAAAAAAAAAAAAAAAAAAAB>): Password mismatch (given password: 2)
I’ve added it as the last line of my dovecot filter regex:
failregex = ^%(__prefix_line)s(%(__pam_auth)s(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$ ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallo$ ^%(__prefix_line)s(Info|dovecot: auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication$ ^%(__prefix_line)s(auth|auth-worker\(\d+\)): (pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$ ^%(__prefix_line)s(auth|auth-worker\(\d+\)): Info: ldap\(\S*,<HOST>,\S*\): invalid credentials\s*$ ^%(__prefix_line)sauth: Info: sql\(\S+,<HOST>\): (Password mismatch|unknown user)( \((SHA1 of given password: [0-9a-f]{5,40}|given password: \w*)\))?$
Have spent ages googling and trying different variations.
Does anyone have a fail2ban regex that would work on the above Dovecot log line?
(Running latest versions of Dovecot and fail2ban)
Many thanks,
James.
On 2017-09-11 08:57, James Brown wrote:
I have turned on 'auth_debug_passwords=yes’ in dovecot.conf.
I’m trying to get Fail2ban to detect this log line:
Sep 11 15:52:49 mail dovecot[54239]: auth-worker(10094): sql(user@bordo.com.au <mailto:user@bordo.com.au>,::1,<L2xqieNYeM4AAAAAAAAAAAAAAAAAAAAB>): Password mismatch (given password: 2)
I’ve added it as the last line of my dovecot filter regex:
failregex = ^%(__prefix_line)s(%(__pam_auth)s(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$ ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallo$ ^%(__prefix_line)s(Info|dovecot: auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication$ ^%(__prefix_line)s(auth|auth-worker\(\d+\)): (pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$ ^%(__prefix_line)s(auth|auth-worker\(\d+\)): Info: ldap\(\S*,<HOST>,\S*\): invalid credentials\s*$ ^%(__prefix_line)sauth: Info: sql\(\S+,<HOST>\): (Password mismatch|unknown user)( \((SHA1 of given password: [0-9a-f]{5,40}|given password: \w*)\))?$ ^%(__prefix_line)sauth: Info: sql\(\S+,<HOST>,\<\S+\>\): (Password mismatch|unknown user)( \((SHA1 of given password: [0-9a-f]{5,40}|given password: \w*)\))?$ ^^^^^^^ You are missing the ID after the host part.
Have spent ages googling and trying different variations.
Does anyone have a fail2ban regex that would work on the above Dovecot log line?
(Running latest versions of Dovecot and fail2ban)
Many thanks,
James.
-- Christian Kivalo
On 11 Sep 2017, at 5:10 pm, Christian Kivalo <ml+dovecot@valo.at> wrote:
On 2017-09-11 08:57, James Brown wrote:
I have turned on 'auth_debug_passwords=yes’ in dovecot.conf. I’m trying to get Fail2ban to detect this log line: Sep 11 15:52:49 mail dovecot[54239]: auth-worker(10094): sql(user@bordo.com.au <mailto:user@bordo.com.au>,::1,<L2xqieNYeM4AAAAAAAAAAAAAAAAAAAAB>): Password mismatch (given password: 2) I’ve added it as the last line of my dovecot filter regex: failregex = ^%(__prefix_line)s(%(__pam_auth)s(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$ ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallo$ ^%(__prefix_line)s(Info|dovecot: auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication$ ^%(__prefix_line)s(auth|auth-worker\(\d+\)): (pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$ ^%(__prefix_line)s(auth|auth-worker\(\d+\)): Info: ldap\(\S*,<HOST>,\S*\): invalid credentials\s*$ ^%(__prefix_line)sauth: Info: sql\(\S+,<HOST>\): (Password mismatch|unknown user)( \((SHA1 of given password: [0-9a-f]{5,40}|given password: \w*)\))?$ ^%(__prefix_line)sauth: Info: sql\(\S+,<HOST>,\<\S+\>\): (Password mismatch|unknown user)( \((SHA1 of given password: [0-9a-f]{5,40}|given password: \w*)\))?$ ^^^^^^^ You are missing the ID after the host part.
Christian Kivalo
Many thanks Christian.
Added that, but it still doesn’t match:
$ fail2ban-regex "Sep 11 15:52:49 mail dovecot[54239]: auth-worker(10094): sql(user@bordo.com.au,::1,<L2xqieNYeM4AAAAAAAAAAAAAAAAAAAAB>): Password mismatch (given password: 2)" "^%(__prefix_line)sauth: Info: sql\(\S+,<HOST>,\<\S+\>\): (Password mismatch|unknown user)( \((SHA1 of given password: [0-9a-f]{5,40}|given password: \w*)\))?$"
Running tests
Use failregex line : ^%(__prefix_line)sauth: Info: sql\(\S+,<HOST>,\<\S... Use single line : Sep 11 15:52:49 mail dovecot[54239]: auth-worker(1...
Results
Failregex: 0 total
Ignoreregex: 0 total
Date template hits: |- [# of hits] date format | [1] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)? `-
Lines: 1 lines, 0 ignored, 0 matched, 1 missed [processed in 0.00 sec]
|- Missed line(s): | Sep 11 15:52:49 mail dovecot[54239]: auth-worker(10094): sql(user@bordo.com.au,::1,<L2xqieNYeM4AAAAAAAAAAAAAAAAAAAAB>): Password mismatch (given password: 2) `-
Any other suggestions?
Thanks,
James.
Many thanks Christian.
Added that, but it still doesn’t match:
$ fail2ban-regex "Sep 11 15:52:49 mail dovecot[54239]: auth-worker(10094): sql(user@bordo.com.au,::1,L2xqieNYeM4AAAAAAAAAAAAAAAAAAAAB>): Password mismatch (given password: 2)" "^%(__prefix_line)sauth: Info: sql\(\S+,<HOST>,\<\S+\>\): (Password mismatch|unknown user)( \((SHA1 of given password: [0-9a-f]{5,40}|given password: \w*)\))?$" Your log has "auth-worker(10094): sql" whereas the fail2ban regex has ")sauth: Info: sql\(\". When you change that to ")sauth-worker: sql\(\" does it work then?
Try to reduce the regex to a working minimum and then add parts back until it breaks...
[...]
Any other suggestions?
Thanks,
James.
-- Christian Kivalo
On 11 Sep 2017, at 5:38 pm, Christian Kivalo <ml+dovecot@valo.at> wrote:
Many thanks Christian. Added that, but it still doesn’t match: $ fail2ban-regex "Sep 11 15:52:49 mail dovecot[54239]: auth-worker(10094): sql(user@bordo.com.au,::1,L2xqieNYeM4AAAAAAAAAAAAAAAAAAAAB>): Password mismatch (given password: 2)" "^%(__prefix_line)sauth: Info: sql\(\S+,<HOST>,\<\S+\>\): (Password mismatch|unknown user)( \((SHA1 of given password: [0-9a-f]{5,40}|given password: \w*)\))?$" Your log has "auth-worker(10094): sql" whereas the fail2ban regex has ")sauth: Info: sql\(\". When you change that to ")sauth-worker: sql\(\" does it work then?
Try to reduce the regex to a working minimum and then add parts back until it breaks…
Thanks Christian.
That didn’t work either:
$ fail2ban-regex "Sep 11 15:52:49 mail dovecot[54239]: auth-worker(10094): sql(user@bordo.com.au,::1,<L2xqieNYeM4AAAAAAAAAAAAAAAAAAAAB>): Password mismatch (given password: 2)" "^%(__prefix_line)sauth-worker: sql\(\S+,<HOST>,\<\S+\>\): (Password mismatch|unknown user)( \((SHA1 of given password: [0-9a-f]{5,40}|given password: \w*)\))?$"
Running tests
Use failregex line : ^%(__prefix_line)sauth-worker: sql\(\S+,<HOST>,\<\... Use single line : Sep 11 15:52:49 mail dovecot[54239]: auth-worker(1...
Results
Failregex: 0 total
Should there be something after “sauth-worker” for the ‘(10094)’?
Will keep trying deleting stuff till it works.
Thanks,
James.
maybe look at weakforced?
darix
-- openSUSE - SUSE Linux is my linux openSUSE is good for you www.opensuse.org
participants (3)
-
Christian Kivalo
-
James Brown
-
Marcus Rueckert