2013-10-30 13:02:59 +00:00
# Fail2Ban filter Dovecot authentication and pop3/imap server
2011-03-23 20:36:28 +00:00
#
2013-06-13 13:52:15 +00:00
[INCLUDES]
before = common.conf
2011-03-23 20:36:28 +00:00
[Definition]
2013-10-28 23:15:54 +00:00
_daemon = (auth|dovecot(-auth)?|auth-worker)
2013-06-13 13:52:15 +00:00
2013-10-09 03:54:36 +00:00
failregex = ^%(__prefix_line)s(pam_unix(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$
2014-01-29 09:43:51 +00:00
^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>(, lip=(\d{1,3}\.){3}\d{1,3})?(, TLS( handshaking(: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$
2013-10-09 03:52:17 +00:00
^%(__prefix_line)s(Info|dovecot: auth\(default\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$
2011-03-23 20:36:28 +00:00
ignoreregex =
2013-05-09 23:15:07 +00:00
[Init]
journalmatch = _SYSTEMD_UNIT=dovecot.service
2013-11-02 04:59:05 +00:00
2013-10-30 13:02:59 +00:00
# DEV Notes:
# * the first regex is essentially a copy of pam-generic.conf
# * Probably doesn't do dovecot sql/ldap backends properly
2014-01-28 11:44:46 +00:00
# * Removed the 'no auth attempts' log lines from the matches because produces
2014-03-24 13:16:52 +00:00
# lots of false positives on misconfigured MTAs making regexp unusable
2013-10-30 13:02:59 +00:00
#
# Author: Martin Waschbuesch
# Daniel Black (rewrote with begin and end anchors)