fail2ban can't match regex for exim4 / dovecot
fail2ban can't match regex for exim4 / dovecot
When I enable the Dovecot jail, it doesn't work because the regex doesn't match the authentication error I'm getting.
Nov 04 16:26:17 auth: Error: passwd-file(whatuphomeboy4,72.249.37.67): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 04 16:26:33 auth: Error: passwd-file(whatuphomeboy4,72.249.37.67): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 04 16:26:45 auth: Error: passwd-file(whatuphomeboy4,72.249.37.67): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 04 16:26:56 auth: Error: passwd-file(whatuphomeboy4,72.249.37.67): stat(/etc/exim4/domains//passwd) failed: No such file or directory
I've spent a few days trying to understand how to write a regex to find this in the dovecot.log but it's a little bit outside my ability.
Does anyone know a regex line I can use to match this error (I get about 30 to 80 a day from various IPs - this one was specifically me testing the regex)....
Thank you kindly.
Michael
Nov 04 16:26:17 auth: Error: passwd-file(whatuphomeboy4,72.249.37.67): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 04 16:26:33 auth: Error: passwd-file(whatuphomeboy4,72.249.37.67): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 04 16:26:45 auth: Error: passwd-file(whatuphomeboy4,72.249.37.67): stat(/etc/exim4/domains//passwd) failed: No such file or directory
Nov 04 16:26:56 auth: Error: passwd-file(whatuphomeboy4,72.249.37.67): stat(/etc/exim4/domains//passwd) failed: No such file or directory
I've spent a few days trying to understand how to write a regex to find this in the dovecot.log but it's a little bit outside my ability.
Does anyone know a regex line I can use to match this error (I get about 30 to 80 a day from various IPs - this one was specifically me testing the regex)....
Thank you kindly.
Michael
Re: fail2ban can't match regex for exim4 / dovecot
The ones I use are default plus one I found also while trying to figure out how to solve my problem.
All my attempts to write a line failed to ban.
failregex = ^%(__prefix_line)s(pam_unix(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$
^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\
S+,)? rip=<HOST>, lip=(\d{1,3}\.){3}\d{1,3}(, session=<\w+>)?(, TLS( handshaking)?(: Disconnected)?)?\s*$
^%(__prefix_line)s(Info|dovecot: auth\(default\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$
(?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
All my attempts to write a line failed to ban.
failregex = ^%(__prefix_line)s(pam_unix(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$
^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\
S+,)? rip=<HOST>, lip=(\d{1,3}\.){3}\d{1,3}(, session=<\w+>)?(, TLS( handshaking)?(: Disconnected)?)?\s*$
^%(__prefix_line)s(Info|dovecot: auth\(default\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$
(?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*