Fail2ban 'Password mismatch' regex

[James Brown]

> On 11 Sep 2017, at 5:38 pm, Christian Kivalo <ml+dovecot at valo.at> wrote:
> 
>> Many thanks Christian.
>> Added that, but it still doesn’t match:
>> $ fail2ban-regex "Sep 11 15:52:49 mail dovecot[54239]: auth-worker(10094): sql(user at bordo.com.au,::1,L2xqieNYeM4AAAAAAAAAAAAAAAAAAAAB>): Password mismatch (given password: 2)"
>> "^%(__prefix_line)sauth: Info: sql\(\S+,<HOST>,\<\S+\>\): (Password mismatch|unknown user)( \((SHA1 of given password: [0-9a-f]{5,40}|given password: \w*)\))?$"
> Your log has "auth-worker(10094): sql" whereas the fail2ban regex has ")sauth: Info: sql\(\". When you change that to ")sauth-worker: sql\(\" does it work then?
> 
> Try to reduce the regex to a working minimum and then add parts back until it breaks…


Thanks Christian.

That didn’t work either:

$ fail2ban-regex "Sep 11 15:52:49 mail dovecot[54239]: auth-worker(10094): sql(user at bordo.com.au,::1,<L2xqieNYeM4AAAAAAAAAAAAAAAAAAAAB>): Password mismatch (given password: 2)" "^%(__prefix_line)sauth-worker: sql\(\S+,<HOST>,\<\S+\>\): (Password mismatch|unknown user)( \((SHA1 of given password: [0-9a-f]{5,40}|given password: \w*)\))?$"

Running tests
=============

Use   failregex line : ^%(__prefix_line)sauth-worker: sql\(\S+,<HOST>,\<\...
Use      single line : Sep 11 15:52:49 mail dovecot[54239]: auth-worker(1...


Results
=======

Failregex: 0 total


Should there be something after “sauth-worker” for the ‘(10094)’?

Will keep trying deleting stuff till it works.

Thanks,

James.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 8517 bytes
Desc: not available
URL: <https://dovecot.org/pipermail/dovecot/attachments/20170911/21d4207f/attachment.bin>