From 3339dc8d84aa30e029cf066a92ddbde8a2c0cc4e Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Fri, 25 Jul 2014 10:12:17 -0400 Subject: [PATCH] ENH: cyrus-imap -- catch also 'user not found' attempts --- ChangeLog | 1 + THANKS | 1 + config/filter.d/cyrus-imap.conf | 2 +- fail2ban/tests/files/logs/cyrus-imap | 5 ++++- 4 files changed, 7 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 53e2e705..33ecc095 100644 --- a/ChangeLog +++ b/ChangeLog @@ -55,6 +55,7 @@ ver. 0.9.1 (2014/xx/xx) - better, faster, stronger * Realign fail2ban log output with white space to improve readability. Does not affect SYSLOG output * Log unhandled exceptions + * cyrus-imap: catch "user not found" attempts ver. 0.9.0 (2014/03/14) - beta ---------- diff --git a/THANKS b/THANKS index 656a4ad4..023ec601 100644 --- a/THANKS +++ b/THANKS @@ -80,6 +80,7 @@ onorua Paul Marrapese Noel Butler Patrick Börjesson +Pressy Raphaël Marichez RealRancor René Berber diff --git a/config/filter.d/cyrus-imap.conf b/config/filter.d/cyrus-imap.conf index f8bee060..73764d9d 100644 --- a/config/filter.d/cyrus-imap.conf +++ b/config/filter.d/cyrus-imap.conf @@ -13,7 +13,7 @@ before = common.conf _daemon = (?:cyrus/)?(?:imap(d|s)?|pop3(d|s)?) -failregex = ^%(__prefix_line)sbadlogin: \S+ ?\[\] \S+ .*?\[?SASL\(-13\): authentication failure: .*\]?$ +failregex = ^%(__prefix_line)sbadlogin: \S+ ?\[\] \S+ .*?\[?SASL\(-13\): (authentication failure|user not found): .*\]?$ ignoreregex = diff --git a/fail2ban/tests/files/logs/cyrus-imap b/fail2ban/tests/files/logs/cyrus-imap index c46cb1ee..f1edff06 100644 --- a/fail2ban/tests/files/logs/cyrus-imap +++ b/fail2ban/tests/files/logs/cyrus-imap @@ -12,4 +12,7 @@ Jun 8 18:11:13 lampserver imap[4480]: badlogin: example.com [198.51.100.45] DIGE Dec 21 10:01:57 hostname imapd[18454]: badlogin: example.com [198.51.100.57] CRAM-MD5 [SASL(-13): authentication failure: incorrect digest response] # failJSON: { "time": "2004-12-30T16:03:27", "match": true , "host": "1.2.3.4" } Dec 30 16:03:27 somehost imapd[2517]: badlogin: local-somehost[1.2.3.4] OTP [SASL(-13): authentication failure: External SSF not good enough] - +# failJSON: { "time": "2005-07-17T22:55:56", "match": true , "host": "1.2.3.4" } +Jul 17 22:55:56 derry cyrus/imaps[7568]: badlogin: serafinat.xxxxxx [1.2.3.4] plain [SASL(-13): user not found: user: pressy@derry property: cmusaslsecretPLAIN not found in sasldb] +# failJSON: { "time": "2005-07-18T16:46:42", "match": true , "host": "1.2.3.4" } +Jul 18 16:46:42 derry cyrus/imaps[27449]: badlogin: serafinat.xxxxxx [1.2.3.4] PLAIN [SASL(-13): user not found: Password verification failed]