diff options
| author | sebres <serg.brester@sebres.de> | 2018-07-17 15:06:42 +0200 |
|---|---|---|
| committer | sebres <serg.brester@sebres.de> | 2018-07-17 15:06:42 +0200 |
| commit | 8fe07e29ad7a2b3c5b0749c4f2a63aa97766275e (patch) | |
| tree | 95e0a71a3ba5faf69c97f76d75f757d82fc7b79c | |
| parent | 94ffd00328af29304110df55ceffe2863b4afaf8 (diff) | |
| download | fail2ban-8fe07e29ad7a2b3c5b0749c4f2a63aa97766275e.tar.gz | |
filter.d/dovecot.conf: failregex enhancement to catch disconnected with "proxy dest auth failed";
closes gh-2184
| -rw-r--r-- | ChangeLog | 4 | ||||
| -rw-r--r-- | config/filter.d/dovecot.conf | 2 | ||||
| -rw-r--r-- | fail2ban/tests/files/logs/dovecot | 3 |
3 files changed, 7 insertions, 2 deletions
@@ -35,7 +35,9 @@ ver. 0.10.4-dev-1 (20??/??/??) - development edition ----------- ### Fixes -* `filter.d/dovecot.conf`: failregex enhancement to catch sql password mismatch errors (gh-2153); +* `filter.d/dovecot.conf`: + - failregex enhancement to catch sql password mismatch errors (gh-2153); + - disconnected with "proxy dest auth failed" (gh-2184); * `action.d/hostsdeny.conf`: fix parameter in config (dynamic parameters stating with '_' are protected and don't allowed in command-actions), see gh-2114; * decoding stability fix by wrong encoded characters like utf-8 surrogate pairs, etc (gh-2171): diff --git a/config/filter.d/dovecot.conf b/config/filter.d/dovecot.conf index daea2ff3..f0481e06 100644 --- a/config/filter.d/dovecot.conf +++ b/config/filter.d/dovecot.conf @@ -13,7 +13,7 @@ _daemon = (?:dovecot(?:-auth)?|auth) prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?: )?(?:%(__pam_auth)s(?:\(dovecot:auth\))?: |(?:pop3|imap)-login: )?(?:Info: )?<F-CONTENT>.+</F-CONTENT>$ failregex = ^authentication failure; logname=<F-ALT_USER1>\S*</F-ALT_USER1> uid=\S* euid=\S* tty=dovecot ruser=<F-USER>\S*</F-USER> rhost=<HOST>(?:\s+user=<F-ALT_USER>\S*</F-ALT_USER>)?\s*$ - ^(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth)\):(?: user=<<F-USER>[^>]*</F-USER>>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$ + ^(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\):(?: user=<<F-USER>[^>]*</F-USER>>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$ ^pam\(\S+,<HOST>(?:,\S*)?\): pam_authenticate\(\) failed: (?:User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\)|Permission denied)\s*$ ^[a-z\-]{3,15}\(\S*,<HOST>(?:,\S*)?\): (?:unknown user|invalid credentials|Password mismatch)\s*$ <mdre-<mode>> diff --git a/fail2ban/tests/files/logs/dovecot b/fail2ban/tests/files/logs/dovecot index 16d40c47..dfa6199e 100644 --- a/fail2ban/tests/files/logs/dovecot +++ b/fail2ban/tests/files/logs/dovecot @@ -83,6 +83,9 @@ Jul 02 13:49:32 hostname dovecot[442]: pop3-login: Disconnected (no auth attempt # failJSON: { "time": "2005-03-23T06:10:52", "match": true , "host": "52.37.139.121" } Mar 23 06:10:52 auth: Info: ldap(dog,52.37.139.121,): invalid credentials +# failJSON: { "time": "2005-07-17T09:21:22", "match": true , "host": "192.0.2.4", "desc": "proxy dest auth failed, gh-2184"} +Jul 17 09:21:22 mailproxy dovecot: imap-login: Disconnected (proxy dest auth failed): user=<rtomes@acenet.com.au>, method=PLAIN, rip=192.0.2.4, lip=192.168.1.2, session=<NTI4FiZxcQCSud4G> + # failJSON: { "time": "2005-07-26T11:11:21", "match": true , "host": "192.0.2.1" } Jul 26 11:11:21 hostname dovecot: imap-login: Disconnected: Too many invalid commands (tried to use disallowed plaintext auth): user=<test>, rip=192.0.2.1, lip=192.168.1.1, session=<S5dIdTFCDKUWWMbU> # failJSON: { "time": "2005-07-26T11:12:19", "match": true , "host": "192.0.2.2" } |