fail2ban/config/filter.d/dovecot.conf

# Fail2Ban filter Dovecot authentication and pop3/imap server
#

[INCLUDES]

before = common.conf

[Definition]

_auth_worker = (?:dovecot: )?auth(?:-worker)?
_daemon = (?:dovecot(?:-auth)?|auth)

__prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?: )?(?:%(__pam_auth)s(?:\(dovecot:auth\))?: |(?:pop3|imap)-login: )?(?:Info: )?

failregex = ^%(__prefregex)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(?:\s+user=\S*)?\s*$
            ^%(__prefregex)s(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth)\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
            ^%(__prefregex)spam\(\S+,<HOST>\): pam_authenticate\(\) failed: (?:User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$
            ^%(__prefregex)s[a-z\-]{3,15}\(\S*,<HOST>(?:,\S*)?\): (?:unknown user|invalid credentials)\s*$

ignoreregex = 

[Init]

journalmatch = _SYSTEMD_UNIT=dovecot.service

# DEV Notes:
# * the first regex is essentially a copy of pam-generic.conf
# * Probably doesn't do dovecot sql/ldap backends properly (resolved in edit 21/03/2016)
# * Removed the 'no auth attempts' log lines from the matches because produces
#    lots of false positives on misconfigured MTAs making regexp unusable
#
# Author: Martin Waschbuesch
#         Daniel Black (rewrote with begin and end anchors)
#         Martin O'Neal (added LDAP authentication failure regex)
#         Sergey G. Brester aka sebres (reviewed, optimized, IPv6-compatibility)
DOC: in filters, put user relevant doc at top, and developer info at bottom, and remove all the repetative blindly copied stuff that appears in the jail man page 2013-10-30 13:02:59 +00:00			`# Fail2Ban filter Dovecot authentication and pop3/imap server`
NF: Adding found on a drive filter.d/dovecot.conf git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@770 a942ae1a-1317-0410-a47c-b1dcaea8d605 2011-03-23 20:36:28 +00:00			`#`
ENH: dovecot regexs rewritten and extra failures 2013-06-13 13:52:15 +00:00
			`[INCLUDES]`

			`before = common.conf`
NF: Adding found on a drive filter.d/dovecot.conf git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@770 a942ae1a-1317-0410-a47c-b1dcaea8d605 2011-03-23 20:36:28 +00:00
			`[Definition]`

filter.d/dovecot.conf: partially cherry-pick to 0.9 PR #1880 from sebres/0.10-fix-dovecot-regex (d926e11a5c0d5a0d3a724f04f7b4540c6d873b4b) fixed failregex (without new mode aggressive) 2017-09-01 08:57:41 +00:00			`_auth_worker = (?:dovecot: )?auth(?:-worker)?`
			`_daemon = (?:dovecot(?:-auth)?\|auth)`
ENH: dovecot regexs rewritten and extra failures 2013-06-13 13:52:15 +00:00
filter.d/dovecot.conf: partially cherry-pick to 0.9 PR #1880 from sebres/0.10-fix-dovecot-regex (d926e11a5c0d5a0d3a724f04f7b4540c6d873b4b) fixed failregex (without new mode aggressive) 2017-09-01 08:57:41 +00:00			`__prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?: )?(?:%(__pam_auth)s(?:\(dovecot:auth\))?: \|(?:pop3\|imap)-login: )?(?:Info: )?`

			`failregex = ^%(__prefregex)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(?:\s+user=\S)?\s$`
			`^%(__prefregex)s(?:Aborted login\|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts(?: in \d+ secs)?\|tried to use (?:disabled\|disallowed) \S+ auth)\):(?: user=<[^>]>,)?(?: method=\S+,)? rip=<HOST>(?:[^>](?:, session=<\S+>)?)\s*$`
			`^%(__prefregex)spam\(\S+,<HOST>\): pam_authenticate\(\) failed: (?:User not known to the underlying authentication module: \d+ Time\(s\)\|Authentication failure \(password mismatch\?\))\s*$`
			`^%(__prefregex)s[a-z\-]{3,15}\(\S,<HOST>(?:,\S)?\): (?:unknown user\|invalid credentials)\s*$`
NF: Adding found on a drive filter.d/dovecot.conf git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@770 a942ae1a-1317-0410-a47c-b1dcaea8d605 2011-03-23 20:36:28 +00:00
			`ignoreregex =`
NF: Add systemd journal backend 2013-05-09 23:15:07 +00:00
			`[Init]`

			`journalmatch = _SYSTEMD_UNIT=dovecot.service`
MRG: 0.8.11 to 0.9 Epnoc of selinux is now true UTC Merge multiline support and date detection in filter 2013-11-02 04:59:05 +00:00
DOC: in filters, put user relevant doc at top, and developer info at bottom, and remove all the repetative blindly copied stuff that appears in the jail man page 2013-10-30 13:02:59 +00:00			`# DEV Notes:`
			`# * the first regex is essentially a copy of pam-generic.conf`
Added regex for LDAP authentication failures 2016-03-21 05:53:23 +00:00			`# * Probably doesn't do dovecot sql/ldap backends properly (resolved in edit 21/03/2016)`
Removed the -no auth attempts- from the triggers because of lots of FP 2014-01-28 11:44:46 +00:00			`# * Removed the 'no auth attempts' log lines from the matches because produces`
Fix a few typos Found with https://github.com/lucasdemarchi/codespell Signed-off-by: Ruben Kerkhof <ruben@rubenkerkhof.com> 2014-03-24 13:16:52 +00:00			`# lots of false positives on misconfigured MTAs making regexp unusable`
DOC: in filters, put user relevant doc at top, and developer info at bottom, and remove all the repetative blindly copied stuff that appears in the jail man page 2013-10-30 13:02:59 +00:00			`#`
			`# Author: Martin Waschbuesch`
			`# Daniel Black (rewrote with begin and end anchors)`
Added regex for LDAP authentication failures 2016-03-21 05:53:23 +00:00			`# Martin O'Neal (added LDAP authentication failure regex)`
filter.d/dovecot.conf update: - fixes failregex, that ignores failures through some irrelevant info (closes #1623); - ignores whole additionally irrelevant info in anchored regex before fixed failure data `\((?:auth failed, \d+ attempts( in \d+ secs)?\|tried to use (disabled\|disallowed) \S+ auth)\)` - review, IPv6 compatibility fix, non-capturing groups 2016-11-26 15:50:37 +00:00			`# Sergey G. Brester aka sebres (reviewed, optimized, IPv6-compatibility)`