Fail2ban 'Password mismatch' regex

Christian Kivalo ml+dovecot at valo.at
Mon Sep 11 10:10:45 EEST 2017


On 2017-09-11 08:57, James Brown wrote:
> I have turned on 'auth_debug_passwords=yes’ in dovecot.conf.
> 
> I’m trying to get Fail2ban to detect this log line:
> 
> Sep 11 15:52:49 mail dovecot[54239]: auth-worker(10094): 
> sql(user at bordo.com.au 
> <mailto:user at bordo.com.au>,::1,<L2xqieNYeM4AAAAAAAAAAAAAAAAAAAAB>): 
> Password mismatch (given password: 2)
> 
> I’ve added it as the last line of my dovecot filter regex:
> 
> failregex =
> ^%(__prefix_line)s(%(__pam_auth)s(\(dovecot:auth\))?:)?\s+authentication 
> failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* 
> rhost=<HOST>(\s+user=\S*)?\s*$
>             ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted 
> login|Disconnected)(: Inactivity)? \(((auth failed, \d+ attempts)( in 
> \d+ secs)?|tried to use (disabled|disallo$
>             ^%(__prefix_line)s(Info|dovecot: 
> auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\): 
> pam_authenticate\(\) failed: (User not known to the underlying 
> authentication$
>             ^%(__prefix_line)s(auth|auth-worker\(\d+\)): 
> (pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$
>             ^%(__prefix_line)s(auth|auth-worker\(\d+\)): Info: 
> ldap\(\S*,<HOST>,\S*\): invalid credentials\s*$
>             ^%(__prefix_line)sauth: Info: sql\(\S+,<HOST>\): (Password 
> mismatch|unknown user)( \((SHA1 of given password: [0-9a-f]{5,40}|given 
> password: \w*)\))?$
               ^%(__prefix_line)sauth: Info: sql\(\S+,<HOST>,\<\S+\>\): 
(Password mismatch|unknown user)( \((SHA1 of given password: 
[0-9a-f]{5,40}|given password: \w*)\))?$
                                                             ^^^^^^^
You are missing the ID after the host part.
> 
> Have spent ages googling and trying different variations.
> 
> Does anyone have a fail2ban regex that would work on the above Dovecot 
> log line?
> 
> (Running latest versions of Dovecot and fail2ban)
> 
> Many thanks,
> 
> James.

-- 
  Christian Kivalo


More information about the dovecot mailing list