fail2ban/config/filter.d/dovecot.conf

# Fail2Ban filter Dovecot authentication and pop3/imap server
#

[INCLUDES]

before = common.conf

[Definition]

_daemon = (?:dovecot(?:-auth)?|auth)

_auth_worker = (?:dovecot: )?auth(?:-worker)?
_auth_worker_info = (?:conn \w+:auth(?:-worker)? \([^\)]+\): auth(?:-worker)?<\d+>: )?
_bypass_reject_reason = (?:: (?:\w+\([^\):]*\) \w+|[^\(]+))*

prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?: )?(?:%(__pam_auth)s(?:\(dovecot:auth\))?: |(?:pop3|imap|managesieve|submission)-login: )?(?:Info: )?%(_auth_worker_info)s<F-CONTENT>.+</F-CONTENT>$

failregex = ^authentication failure; logname=<F-ALT_USER1>\S*</F-ALT_USER1> uid=\S* euid=\S* tty=dovecot ruser=<F-USER>\S*</F-USER> rhost=<HOST>(?:\s+user=<F-ALT_USER>\S*</F-ALT_USER>)?\s*$
            ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)%(_bypass_reject_reason)s \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\):(?: user=<<F-USER>[^>]*</F-USER>>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
            ^pam\(\S+,<HOST>(?:,\S*)?\): pam_authenticate\(\) failed: (?:User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \([Pp]assword mismatch\?\)|Permission denied)\s*$
            ^[a-z\-]{3,15}\(\S*,<HOST>(?:,\S*)?\): (?:[Uu]nknown user|[Ii]nvalid credentials|[Pp]assword mismatch)
            <mdre-<mode>>

mdre-aggressive = ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)%(_bypass_reject_reason)s \((?:no auth attempts|disconnected before auth was ready,|client didn't finish \S+ auth,)(?: (?:in|waited) \d+ secs)?\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$

mdre-normal = 

# Parameter `mode` - `normal` or `aggressive`.
# Aggressive mode can be used to match log-entries like:
#   'no auth attempts', 'disconnected before auth was ready', 'client didn't finish SASL auth'.
# Note it may produce lots of false positives on misconfigured MTAs.
# Ex.:
# filter = dovecot[mode=aggressive]
mode = normal

ignoreregex = 

journalmatch = _SYSTEMD_UNIT=dovecot.service

datepattern = {^LN-BEG}TAI64N
              {^LN-BEG}

# DEV Notes:
# * the first regex is essentially a copy of pam-generic.conf
# * Probably doesn't do dovecot sql/ldap backends properly (resolved in edit 21/03/2016)
#
# Author: Martin Waschbuesch
#         Daniel Black (rewrote with begin and end anchors)
#         Martin O'Neal (added LDAP authentication failure regex)
#         Sergey G. Brester aka sebres (reviewed, optimized, IPv6-compatibility)
DOC: in filters, put user relevant doc at top, and developer info at bottom, and remove all the repetative blindly copied stuff that appears in the jail man page 2013-10-30 13:02:59 +00:00			`# Fail2Ban filter Dovecot authentication and pop3/imap server`
NF: Adding found on a drive filter.d/dovecot.conf git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@770 a942ae1a-1317-0410-a47c-b1dcaea8d605 2011-03-23 20:36:28 +00:00			`#`
ENH: dovecot regexs rewritten and extra failures 2013-06-13 13:52:15 +00:00
			`[INCLUDES]`

			`before = common.conf`
NF: Adding found on a drive filter.d/dovecot.conf git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@770 a942ae1a-1317-0410-a47c-b1dcaea8d605 2011-03-23 20:36:28 +00:00
			`[Definition]`

fixes gh-3370: resolve extremely long search by repeated apply of non-greedy RE `(?:: (?:[^\(]+\|\w+\([^\)]*\))+)?` with following branches (it may be extremely slow up to infinite search depending on message); added new regression tests amend to gh-3210: fixes regression and matches new format in aggressive mode too 2022-10-04 12:03:07 +00:00			`_daemon = (?:dovecot(?:-auth)?\|auth)`

Several filters optimized with pre-filtering using new option `prefregex` 2017-02-21 14:54:59 +00:00			`_auth_worker = (?:dovecot: )?auth(?:-worker)?`
filter.d/dovecot.conf: parse everything in parenthesis by auth-worker info, e. g. can match (pid=...,uid=...) too (amend to 92f90038fa67d719c55c75f5eff8059e849fe747) 2022-02-08 18:21:37 +00:00			`_auth_worker_info = (?:conn \w+:auth(?:-worker)? \([^\)]+\): auth(?:-worker)?<\d+>: )?`
fixes gh-3370: resolve extremely long search by repeated apply of non-greedy RE `(?:: (?:[^\(]+\|\w+\([^\)]*\))+)?` with following branches (it may be extremely slow up to infinite search depending on message); added new regression tests amend to gh-3210: fixes regression and matches new format in aggressive mode too 2022-10-04 12:03:07 +00:00			`_bypass_reject_reason = (?:: (?:\w+\([^\):]\) \w+\|[^\(]+))`
ENH: dovecot regexs rewritten and extra failures 2013-06-13 13:52:15 +00:00
filter.d/dovecot.conf: extended to match prefix like `conn unix:auth-worker (uid=143): auth-worker<13247>:` (authenticate from external service like exim), gh-2553 2021-05-29 19:12:34 +00:00			`prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?: )?(?:%(__pam_auth)s(?:\(dovecot:auth\))?: \|(?:pop3\|imap\|managesieve\|submission)-login: )?(?:Info: )?%(_auth_worker_info)s<F-CONTENT>.+</F-CONTENT>$`
Several filters optimized with pre-filtering using new option `prefregex` 2017-02-21 14:54:59 +00:00
dovecot: collect F-USER and variants We are prefering ruser= if availble because this are credentials presented to dovecot from remote client. 2018-06-30 14:16:03 +00:00			`failregex = ^authentication failure; logname=<F-ALT_USER1>\S</F-ALT_USER1> uid=\S euid=\S* tty=dovecot ruser=<F-USER>\S</F-USER> rhost=<HOST>(?:\s+user=<F-ALT_USER>\S</F-ALT_USER>)?\s*$`
fixes gh-3370: resolve extremely long search by repeated apply of non-greedy RE `(?:: (?:[^\(]+\|\w+\([^\)]*\))+)?` with following branches (it may be extremely slow up to infinite search depending on message); added new regression tests amend to gh-3210: fixes regression and matches new format in aggressive mode too 2022-10-04 12:03:07 +00:00			`^(?:Aborted login\|Disconnected\|Remote closed connection\|Client has quit the connection)%(_bypass_reject_reason)s \((?:auth failed, \d+ attempts(?: in \d+ secs)?\|tried to use (?:disabled\|disallowed) \S+ auth\|proxy dest auth failed)\):(?: user=<<F-USER>[^>]</F-USER>>,)?(?: method=\S+,)? rip=<HOST>(?:[^>](?:, session=<\S+>)?)\s*$`
filter.d/dovecot.conf: fixed "Authentication failure" regex, matches "Password mismatch" in title case (gh-2880) 2021-05-29 18:25:28 +00:00			`^pam\(\S+,<HOST>(?:,\S)?\): pam_authenticate\(\) failed: (?:User not known to the underlying authentication module: \d+ Time\(s\)\|Authentication failure \([Pp]assword mismatch\?\)\|Permission denied)\s$`
			`^[a-z\-]{3,15}\(\S,<HOST>(?:,\S)?\): (?:[Uu]nknown user\|[Ii]nvalid credentials\|[Pp]assword mismatch)`
- fixes regex for message `imap-login: Disconnected (auth failed, X attempts) ...` has to many variations on additional info after `<HOST>`, leave it end-anchored because variable part `user=<[^>]>` (before `<HOST>`) to avoid injecting, but can be safe rewritten using `[^>]` in opposite to "greedy" `user=<[^>]>`. - introduces mode `aggressive` and extends regex for this mode to match: no auth attempts (previously removed in gh-601, because of lots of false positives on misconfigured MTAs) * disconnected before auth was ready * client didn't finish SASL auth 2017-09-01 07:56:21 +00:00			`<mdre-<mode>>`

fixes gh-3370: resolve extremely long search by repeated apply of non-greedy RE `(?:: (?:[^\(]+\|\w+\([^\)]*\))+)?` with following branches (it may be extremely slow up to infinite search depending on message); added new regression tests amend to gh-3210: fixes regression and matches new format in aggressive mode too 2022-10-04 12:03:07 +00:00			`mdre-aggressive = ^(?:Aborted login\|Disconnected\|Remote closed connection\|Client has quit the connection)%(_bypass_reject_reason)s \((?:no auth attempts\|disconnected before auth was ready,\|client didn't finish \S+ auth,)(?: (?:in\|waited) \d+ secs)?\):(?: user=<[^>]>,)?(?: method=\S+,)? rip=<HOST>(?:[^>](?:, session=<\S+>)?)\s*$`
- fixes regex for message `imap-login: Disconnected (auth failed, X attempts) ...` has to many variations on additional info after `<HOST>`, leave it end-anchored because variable part `user=<[^>]>` (before `<HOST>`) to avoid injecting, but can be safe rewritten using `[^>]` in opposite to "greedy" `user=<[^>]>`. - introduces mode `aggressive` and extends regex for this mode to match: no auth attempts (previously removed in gh-601, because of lots of false positives on misconfigured MTAs) * disconnected before auth was ready * client didn't finish SASL auth 2017-09-01 07:56:21 +00:00
			`mdre-normal =`

			# Parameter `mode` - `normal` or `aggressive`.
			`# Aggressive mode can be used to match log-entries like:`
			`# 'no auth attempts', 'disconnected before auth was ready', 'client didn't finish SASL auth'.`
			`# Note it may produce lots of false positives on misconfigured MTAs.`
			`# Ex.:`
			`# filter = dovecot[mode=aggressive]`
			`mode = normal`
NF: Adding found on a drive filter.d/dovecot.conf git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@770 a942ae1a-1317-0410-a47c-b1dcaea8d605 2011-03-23 20:36:28 +00:00
			`ignoreregex =`
NF: Add systemd journal backend 2013-05-09 23:15:07 +00:00
			`journalmatch = _SYSTEMD_UNIT=dovecot.service`
MRG: 0.8.11 to 0.9 Epnoc of selinux is now true UTC Merge multiline support and date detection in filter 2013-11-02 04:59:05 +00:00
more precise date template handling (WARNING: this commit creates possible incompatibilities): - datedetector rewritten more strict as earlier; - default templates can be specified exacter using prefix/suffix syntax (via `datepattern`); - more as one date pattern can be specified using option `datepattern` now (new-line separated); - some default options like `datepattern` can be specified directly in section `[Definition]`, that avoids contrary usage of unnecessarily `[Init]` section, because of performance (each extra section costs time); - option `datepattern` can be specified in jail also (jails without filters); - if first group specified, only this will be cut out from search log-line (e. g.: `^date:[({DATE})]` will cut out only datetime match pattern, and leaves `date:[] failure ip...` for searching in filter); - faster match and fewer searching of appropriate templates (DateDetector.matchTime calls rarer DateTemplate.matchDate now); - standard filters extended with exact prefixed or anchored date templates; template cache introduced (in opposition to default template cache, holds custom templates cached by pattern for possible common usage of same template/regex); 2016-10-07 12:57:45 +00:00			`datepattern = {^LN-BEG}TAI64N`
			`{^LN-BEG}`

DOC: in filters, put user relevant doc at top, and developer info at bottom, and remove all the repetative blindly copied stuff that appears in the jail man page 2013-10-30 13:02:59 +00:00			`# DEV Notes:`
			`# * the first regex is essentially a copy of pam-generic.conf`
Added regex for LDAP authentication failures 2016-03-21 05:53:23 +00:00			`# * Probably doesn't do dovecot sql/ldap backends properly (resolved in edit 21/03/2016)`
DOC: in filters, put user relevant doc at top, and developer info at bottom, and remove all the repetative blindly copied stuff that appears in the jail man page 2013-10-30 13:02:59 +00:00			`#`
			`# Author: Martin Waschbuesch`
			`# Daniel Black (rewrote with begin and end anchors)`
Added regex for LDAP authentication failures 2016-03-21 05:53:23 +00:00			`# Martin O'Neal (added LDAP authentication failure regex)`
filter.d/dovecot.conf update: - fixes failregex, that ignores failures through some irrelevant info (closes #1623); - ignores whole additionally irrelevant info in anchored regex before fixed failure data `\((?:auth failed, \d+ attempts( in \d+ secs)?\|tried to use (disabled\|disallowed) \S+ auth)\)` - review, IPv6 compatibility fix, non-capturing groups 2016-11-26 15:50:37 +00:00			`# Sergey G. Brester aka sebres (reviewed, optimized, IPv6-compatibility)`