Po zapnutí logování dovecotu:
/etc/dovecot/conf.d/10-logging.conf
auth_verbose = yes

/var/log/mail.log
dovecot: auth-worker(10998): sql(test@test.cz,111.111.2.1,): Password mismatch

přidání řádku
/etc/fail2ban/filter.d/dovecot.conf
^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): sql\(\S*,,\S*\): Password mismatch$

failregex = ^%(__prefix_line)s(?:%(__pam_auth)s(?:\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=(?:\s+user=\S*)?\s*$
^%(__prefix_line)s(?:pop3|imap)-login: (?:Info: )?(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<[^>]+>,)?( method=\S+,)? rip=(?:, lip=\S+)?(?:, TLS(?: handshaking(?:: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$
^%(__prefix_line)s(?:Info|dovecot: auth\(default\)|auth-worker\(\d+\)): pam\(\S+,\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$
^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): (?:pam|passwd-file)\(\S+,\): unknown user\s*$
^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): Info: ldap\(\S*,,\S*\): invalid credentials\s*$
^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): sql\(\S*,,\S*\): Password mismatch$

# fail2ban-client status dovecot
Status for the jail: dovecot
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /var/log/mail.log
`- Actions
|- Currently banned: 1
|- Total banned: 1

testování regexu
# fail2ban-regex /var/log/mail.warn /etc/fail2ban/filter.d/dovecot.conf

Trackback

Žádný komentář do teď

Přidejte svůj komentář