under some kind of attack

[mj]

I have concoted something that seems to work. And for the archives, this 
is it:

> failregex = auth: Info: ldap\(.+,<HOST>,.+\): invalid credentials \(given password: .+ssword\)
>             auth: Info: ldap\(.+,<HOST>,.+\): invalid credentials \(given password: 1qaz2wsx\)
>             auth: Info: ldap\(.+,<HOST>,.+\): invalid credentials \(given password: 123321\)
>             auth: Info: ldap\(.+,<HOST>,.+\): invalid credentials \(given password: 1234567890\)
>             auth: Info: ldap\(.+,<HOST>,.+\): invalid credentials \(given password: 1q2w3e4r.+\)

It's still reactive, and not pro-active.

All the other suggestions are very much appreciated, including 
weakforced, however implementing that is a much larger project.

Next I have to find out how to feed my fail2ban logs back to 
blocklist.de, to improve their mail.txt hit rate.

Thanks again for all kind assistance.

MJ

On 07/20/2017 11:16 AM, mj wrote:
> Hi all,
> 
> If I may, one more question on this subject:
> 
> I would like to  create a fail2ban filer, that scans for these lines:
> 
>> Jul 20 11:10:09 auth: Info: 
>> ldap(user1,60.166.35.162,<cDFXHbxUQgA8piOi>): invalid credentials 
>> (given password: password)
>> Jul 20 11:10:19 auth: Info: ldap(user2,61.53.66.4,<V+nyHbxU+wA9NUIE>): 
>> invalid credentials (given password: password)
> 
> (as you can see, I have enabled auth_verbose_passwords to do this, 
> making me very uncomfortable...)
> 
> Anyway: since there are only a few password variations, I would like to 
> block anyone using those passwords.
> 
> (since the connections are over TLS/SSL, I cannot use iptables, as 
> suggested earlier)
> 
> So I need a specific fail2ban rule that extracts the <IP> from that 
> line, and matches on "(given password: password)"
> 
> Can anyone here help out with a failregex line that would match..?