We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
fail2ban can't match regex for exim4 / dovecot
fail2ban can't match regex for exim4 / dovecot
When I enable the Dovecot jail, it doesn't work because the regex doesn't match the authentication error I'm getting.
Nov 04 16:26:17 auth: Error: passwd-file(whatuphomeboy4,72.249.37.67): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 04 16:26:33 auth: Error: passwd-file(whatuphomeboy4,72.249.37.67): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 04 16:26:45 auth: Error: passwd-file(whatuphomeboy4,72.249.37.67): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 04 16:26:56 auth: Error: passwd-file(whatuphomeboy4,72.249.37.67): stat(/etc/exim4/domains//passwd) failed: No such file or directory
I've spent a few days trying to understand how to write a regex to find this in the dovecot.log but it's a little bit outside my ability.
Does anyone know a regex line I can use to match this error (I get about 30 to 80 a day from various IPs - this one was specifically me testing the regex)....
Thank you kindly.
Michael
Nov 04 16:26:17 auth: Error: passwd-file(whatuphomeboy4,72.249.37.67): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 04 16:26:33 auth: Error: passwd-file(whatuphomeboy4,72.249.37.67): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 04 16:26:45 auth: Error: passwd-file(whatuphomeboy4,72.249.37.67): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 04 16:26:56 auth: Error: passwd-file(whatuphomeboy4,72.249.37.67): stat(/etc/exim4/domains//passwd) failed: No such file or directory
I've spent a few days trying to understand how to write a regex to find this in the dovecot.log but it's a little bit outside my ability.
Does anyone know a regex line I can use to match this error (I get about 30 to 80 a day from various IPs - this one was specifically me testing the regex)....
Thank you kindly.
Michael
Re: fail2ban can't match regex for exim4 / dovecot
The ones I use are default plus one I found also while trying to figure out how to solve my problem.
All my attempts to write a line failed to ban.
failregex = ^%(__prefix_line)s(pam_unix(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$
^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\
S+,)? rip=<HOST>, lip=(\d{1,3}\.){3}\d{1,3}(, session=<\w+>)?(, TLS( handshaking)?(: Disconnected)?)?\s*$
^%(__prefix_line)s(Info|dovecot: auth\(default\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$
(?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
All my attempts to write a line failed to ban.
failregex = ^%(__prefix_line)s(pam_unix(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$
^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\
S+,)? rip=<HOST>, lip=(\d{1,3}\.){3}\d{1,3}(, session=<\w+>)?(, TLS( handshaking)?(: Disconnected)?)?\s*$
^%(__prefix_line)s(Info|dovecot: auth\(default\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$
(?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*