2013-10-30 13:02:59 +00:00
# Fail2Ban filter Dovecot authentication and pop3/imap server
2011-03-23 20:36:28 +00:00
#
2013-06-13 13:52:15 +00:00
[INCLUDES]
before = common.conf
2011-03-23 20:36:28 +00:00
[Definition]
2017-02-21 14:54:59 +00:00
_auth_worker = (?:dovecot: )?auth(?:-worker)?
2017-09-01 08:25:09 +00:00
_daemon = (?:dovecot(?:-auth)?|auth)
2013-06-13 13:52:15 +00:00
2017-09-01 08:25:09 +00:00
prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?: )?(?:%(__pam_auth)s(?:\(dovecot:auth\))?: |(?:pop3|imap)-login: )?(?:Info: )?<F-CONTENT>.+</F-CONTENT>$
2017-02-21 14:54:59 +00:00
failregex = ^authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(?:\s+user=\S*)?\s*$
2017-09-01 08:25:09 +00:00
^(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth)\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
2017-10-04 07:57:18 +00:00
^pam\(\S+,<HOST>(?:,\S*)?\): pam_authenticate\(\) failed: (?:User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\)|Permission denied)\s*$
2017-08-07 16:07:36 +00:00
^[a-z\-]{3,15}\(\S*,<HOST>(?:,\S*)?\): (?:unknown user|invalid credentials)\s*$
2017-09-01 07:56:21 +00:00
<mdre-<mode>>
2017-09-01 08:25:09 +00:00
mdre-aggressive = ^(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:no auth attempts|disconnected before auth was ready,|client didn't finish \S+ auth,)(?: (?:in|waited) \d+ secs)?\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
2017-09-01 07:56:21 +00:00
mdre-normal =
# Parameter `mode` - `normal` or `aggressive`.
# Aggressive mode can be used to match log-entries like:
# 'no auth attempts', 'disconnected before auth was ready', 'client didn't finish SASL auth'.
# Note it may produce lots of false positives on misconfigured MTAs.
# Ex.:
# filter = dovecot[mode=aggressive]
mode = normal
2011-03-23 20:36:28 +00:00
ignoreregex =
2013-05-09 23:15:07 +00:00
journalmatch = _SYSTEMD_UNIT=dovecot.service
2013-11-02 04:59:05 +00:00
2016-10-07 12:57:45 +00:00
datepattern = {^LN-BEG}TAI64N
{^LN-BEG}
2013-10-30 13:02:59 +00:00
# DEV Notes:
# * the first regex is essentially a copy of pam-generic.conf
2016-03-21 05:53:23 +00:00
# * Probably doesn't do dovecot sql/ldap backends properly (resolved in edit 21/03/2016)
2013-10-30 13:02:59 +00:00
#
# Author: Martin Waschbuesch
# Daniel Black (rewrote with begin and end anchors)
2016-03-21 05:53:23 +00:00
# Martin O'Neal (added LDAP authentication failure regex)
2016-11-26 15:50:37 +00:00
# Sergey G. Brester aka sebres (reviewed, optimized, IPv6-compatibility)