diff options
author | sebres <serg.brester@sebres.de> | 2022-02-09 12:18:23 +0100 |
---|---|---|
committer | sebres <serg.brester@sebres.de> | 2022-02-09 12:18:23 +0100 |
commit | 498e473a10ee56aa6345b03cd3bf83e017df966c (patch) | |
tree | a7c1aa78b72e1539c1549a2d1817655244373713 | |
parent | 8013cf0b900f2cacfdc1c9152c9b9847bfc41877 (diff) | |
download | fail2ban-498e473a10ee56aa6345b03cd3bf83e017df966c.tar.gz |
filter.d/courier-auth.conf: consider optional port after IP, regex is rewritten without catch-all's and right anchor, so it is more stable against further modifications now;
closes #3211
-rw-r--r-- | config/filter.d/courier-auth.conf | 2 | ||||
-rw-r--r-- | fail2ban/tests/files/logs/courier-auth | 2 |
2 files changed, 3 insertions, 1 deletions
diff --git a/config/filter.d/courier-auth.conf b/config/filter.d/courier-auth.conf index 1ac33736..d5ba9c50 100644 --- a/config/filter.d/courier-auth.conf +++ b/config/filter.d/courier-auth.conf @@ -11,7 +11,7 @@ before = common.conf _daemon = (?:courier)?(?:imapd?|pop3d?)(?:login)?(?:-ssl)? -failregex = ^%(__prefix_line)sLOGIN FAILED, (?:user|method)=.*, ip=\[<HOST>\]$ +failregex = ^%(__prefix_line)sLOGIN FAILED, (?:(?!ip=)(?:user=<F-USER>[^,]*</F-USER>|\w+=[^,]*), )*ip=\[<HOST>\] ignoreregex = diff --git a/fail2ban/tests/files/logs/courier-auth b/fail2ban/tests/files/logs/courier-auth index 3505e109..8a20a27f 100644 --- a/fail2ban/tests/files/logs/courier-auth +++ b/fail2ban/tests/files/logs/courier-auth @@ -8,3 +8,5 @@ Nov 13 08:11:53 server imapd-ssl: LOGIN FAILED, user=user@domain.tld, ip=[::ffff Apr 17 19:17:11 SERVER courierpop3login: LOGIN FAILED, user=USER@EXAMPLE.org, ip=[::ffff:1.2.3.4] # failJSON: { "time": "2005-04-17T19:17:12", "match": true , "host": "192.0.2.4" } Apr 17 19:17:12 server imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:192.0.2.4] +# failJSON: { "time": "2005-04-27T09:00:00", "match": true , "user": "tester", "host": "192.0.2.5" } +Apr 27 09:00:00 servername imapd: LOGIN FAILED, user=tester, ip=[::ffff:192.0.2.5], port=[255] |