Guten Tag allerseits,
Ich probiere mich derzeitig daran einen Filter für Fail2ban anzupassen. Leider haut es nicht so hin wie ich mir das gedacht habe, mein Problem: Der Regex ist korrekt und fail2ban-regex bestätigt dies beim testen in der Kommandozeile, wenn ich fail2ban-regex mittels des failregex in /etc/fail2ban/filter.d/dovecot.conf teste schlägt der Test leider fehl ☹
Vielleicht habt ihr ja einen Anhaltspunkt für mich, folgende Infos habe ich:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 | ~# fail2ban-regex mail.log /etc/fail2ban/filter.d/dovecot.conf Running tests ============= Use failregex filter file : dovecot, basedir: /etc/fail2ban Use datepattern : Default Detectors Use log file : mail.log Use encoding : UTF-8 Results ======= Failregex: 0 total Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [4] {^LN-BEG}(?:Zone name )?(?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: ExYear)? `- Lines: 4 lines, 0 ignored, 0 matched, 4 missed [processed in 0.01 sec] |- Missed line(s): | Sep 5 16:59:25 host dovecot: auth-worker(8132): sql(myuser@example.de,9.9.9.9,<qaZQW15Y8Mm8RDFE>): Password mismatch (SHA1 of given password: cd2eb0837c9b) | Sep 5 16:59:25 host dovecot: auth-worker(8132): sql(myuser@example.de,9.9.9.9,<qaZQW15Y8Mm8RDFE>): Password mismatch | Sep 5 17:02:21 host dovecot: imap-login: Login: user=<catcher@example.de>, method=PLAIN, rip=8.8.8.8:50080, lip=9.9.9.9:143, mpid=8797, ssl=TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits) | Sep 5 17:02:35 host dovecot: auth-worker(8796): sql(ssss@example.de,9.9.9.9,<AA2fZl5YosMf0VlG>): unknown user (SHA1 of given password: cd2eb0837c9b) |
Nutze ich den Regex direkt auf der Kommandozeile, so haut alles wie gewünscht hin:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 | ~# fail2ban-regex mail.log "^.*dovecot: auth-worker\([0-9]{1,}\): sql\(.*,<HOST>.*\): (Password mismatch|unknown user).*$" Running tests ============= Use failregex line : ^.*dovecot: auth-worker\([0-9]{1,}\): sql\(.*,<HOS... Use log file : mail.log Use encoding : UTF-8 Results ======= Failregex: 3 total |- #) [# of hits] regular expression | 1) [3] ^.*dovecot: auth-worker\([0-9]{1,}\): sql\(.*,<HOST>.*\): (Password mismatch|unknown user).*$ `- Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [4] {^LN-BEG}(?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: ExYear)? `- Lines: 4 lines, 0 ignored, 3 matched, 1 missed [processed in 0.01 sec] |- Missed line(s): | Sep 5 17:02:21 host dovecot: imap-login: Login: user=<catcher@example.de>, method=PLAIN, rip=8.8.8.8:50080, lip=9.9.9.9:143, mpid=8797, ssl=TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits) `- |
/etc/fail2ban/filter.d/dovecot.conf
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 | # Fail2Ban filter Dovecot authentication and pop3/imap server # [INCLUDES] before = common.conf [Definition] _auth_worker = (?:dovecot: )?auth(?:-worker)? _daemon = (?:dovecot(?:-auth)?|auth) prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?: )?(?:%(__pam_auth)s(?:\(dovecot:auth\))?: |(?:pop3|imap)-login: )?(?:Info: )?<F-CONTENT>.+</F-CONTENT>$ failregex = ^authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(?:\s+user=\S*)?\s*$ ^(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth)\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$ ^pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (?:User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$ ^[a-z\-]{3,15}\(\S*,<HOST>(?:,\S*)?\): (?:unknown user|invalid credentials)\s*$ ^.*dovecot: auth-worker\([0-9]{1,}\): sql\(.*,<HOST>.*\): (Password mismatch|unknown user).*$ <mdre-<mode>> mdre-aggressive = ^(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:no auth attempts|disconnected before auth was ready,|client didn't finish \S+ auth,)(?: (?:in|waited) \d+ secs)?\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$ mdre-normal = # Parameter `mode` - `normal` or `aggressive`. # Aggressive mode can be used to match log-entries like: # 'no auth attempts', 'disconnected before auth was ready', 'client didn't finish SASL auth'. # Note it may produce lots of false positives on misconfigured MTAs. # Ex.: # filter = dovecot[mode=aggressive] mode = normal ignoreregex = journalmatch = _SYSTEMD_UNIT=dovecot.service datepattern = {^LN-BEG}(?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: ExYear)? {^LN-BEG}TAI64N {^LN-BEG} # DEV Notes: # * the first regex is essentially a copy of pam-generic.conf # * Probably doesn't do dovecot sql/ldap backends properly (resolved in edit 21/03/2016) # # Author: Martin Waschbuesch # Daniel Black (rewrote with begin and end anchors) # Martin O'Neal (added LDAP authentication failure regex) # Sergey G. Brester aka sebres (reviewed, optimized, IPv6-compatibility) |
mail.log (passworthash und andere Daten sind anonymisiert)
1 2 3 4 | Sep 5 16:59:25 host dovecot: auth-worker(8132): sql(myuser@example.de,9.9.9.9,<qaZQW15Y8Mm8RDFE>): Password mismatch (SHA1 of given password: cd2eb0837c9b) Sep 5 16:59:25 host dovecot: auth-worker(8132): sql(myuser@example.de,9.9.9.9,<qaZQW15Y8Mm8RDFE>): Password mismatch Sep 5 17:02:21 host dovecot: imap-login: Login: user=<catcher@example.de>, method=PLAIN, rip=8.8.8.8:50080, lip=9.9.9.9:143, mpid=8797, ssl=TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits) Sep 5 17:02:35 host dovecot: auth-worker(8796): sql(ssss@example.de,9.9.9.9,<AA2fZl5YosMf0VlG>): unknown user (SHA1 of given password: cd2eb0837c9b) |
Würde mich über eine Lösung beziehungsweise über einen Lösungsansatz sehr freuen und danke euch schonmal vorab.