fail2ban/config/filter.d/dovecot.conf

# Fail2Ban filter Dovecot authentication and pop3/imap server
#

[INCLUDES]

before = common.conf

[Definition]

_daemon = (auth|dovecot(-auth)?|auth-worker)

failregex = ^%(__prefix_line)s(pam_unix(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$
            ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>, lip=(\d{1,3}\.){3}\d{1,3}(, session=<\w+>)?(, TLS( handshaking)?(: Disconnected)?)?\s*$
            ^%(__prefix_line)s(Info|dovecot: auth\(default\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$

ignoreregex = 

# DEV Notes:
# * the first regex is essentially a copy of pam-generic.conf
# * Probably doesn't do dovecot sql/ldap backends properly
#
# Author: Martin Waschbuesch
#         Daniel Black (rewrote with begin and end anchors)
DOC: in filters, put user relevant doc at top, and developer info at bottom, and remove all the repetative blindly copied stuff that appears in the jail man page 2013-10-30 13:02:59 +00:00			`# Fail2Ban filter Dovecot authentication and pop3/imap server`
NF: Adding found on a drive filter.d/dovecot.conf git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@770 a942ae1a-1317-0410-a47c-b1dcaea8d605 2011-03-23 20:36:28 +00:00			`#`
ENH: dovecot regexs rewritten and extra failures 2013-06-13 13:52:15 +00:00
			`[INCLUDES]`

			`before = common.conf`
NF: Adding found on a drive filter.d/dovecot.conf git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@770 a942ae1a-1317-0410-a47c-b1dcaea8d605 2011-03-23 20:36:28 +00:00
			`[Definition]`

ENH: additional tweek to dovecot regex based on http://chrisgilligan.com/portfolio/fail2ban-regex/ 2013-10-28 23:15:54 +00:00			`_daemon = (auth\|dovecot(-auth)?\|auth-worker)`
DOC: in filters, put user relevant doc at top, and developer info at bottom, and remove all the repetative blindly copied stuff that appears in the jail man page 2013-10-30 13:02:59 +00:00
ENH: tighten pam_unix expression for dovecot 2013-10-09 03:54:36 +00:00			`failregex = ^%(__prefix_line)s(pam_unix(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S)?\s$`
BF: fix dovecot filter for newer failure message. Closes Debian bug #709324 2013-11-06 01:51:21 +00:00			`^%(__prefix_line)s(pop3\|imap)-login: (Info: )?(Aborted login\|Disconnected)(: Inactivity)? \(((no auth attempts\|auth failed, \d+ attempts)( in \d+ secs)?\|tried to use (disabled\|disallowed) \S+ auth)\):( user=<\S>,)?( method=\S+,)? rip=<HOST>, lip=(\d{1,3}\.){3}\d{1,3}(, session=<\w+>)?(, TLS( handshaking)?(: Disconnected)?)?\s$`
ENH: auth-worker as per of _daemon definition for dovecot 2013-10-09 03:52:17 +00:00			`^%(__prefix_line)s(Info\|dovecot: auth\(default\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)\|Authentication failure \(password mismatch\?\))\s*$`
NF: Adding found on a drive filter.d/dovecot.conf git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@770 a942ae1a-1317-0410-a47c-b1dcaea8d605 2011-03-23 20:36:28 +00:00
			`ignoreregex =`
DOC: in filters, put user relevant doc at top, and developer info at bottom, and remove all the repetative blindly copied stuff that appears in the jail man page 2013-10-30 13:02:59 +00:00
			`# DEV Notes:`
			`# * the first regex is essentially a copy of pam-generic.conf`
			`# * Probably doesn't do dovecot sql/ldap backends properly`
			`#`
			`# Author: Martin Waschbuesch`
			`# Daniel Black (rewrote with begin and end anchors)`