filter.d/courier-auth.conf: consider optional port after IP, regex is rewritten without catch-all's and right anchor, so it is more stable against further modifications now;

closes #3211
2022-02-09 12:18:23 +01:00 · 2022-02-09 12:18:23 +01:00 · 498e473a10
parent 8013cf0b90
commit 498e473a10
2 changed files with 3 additions and 1 deletions
--- a/config/filter.d/courier-auth.conf
+++ b/config/filter.d/courier-auth.conf
@ -11,7 +11,7 @@ before = common.conf

 _daemon = (?:courier)?(?:imapd?|pop3d?)(?:login)?(?:-ssl)?

-failregex = ^%(__prefix_line)sLOGIN FAILED, (?:user|method)=.*, ip=\[<HOST>\]$
+failregex = ^%(__prefix_line)sLOGIN FAILED, (?:(?!ip=)(?:user=<F-USER>[^,]*</F-USER>|\w+=[^,]*), )*ip=\[<HOST>\]

 ignoreregex = 

--- a/fail2ban/tests/files/logs/courier-auth
+++ b/fail2ban/tests/files/logs/courier-auth
@ -8,3 +8,5 @@ Nov 13 08:11:53 server imapd-ssl: LOGIN FAILED, user=user@domain.tld, ip=[::ffff
 Apr 17 19:17:11 SERVER courierpop3login: LOGIN FAILED, user=USER@EXAMPLE.org, ip=[::ffff:1.2.3.4]
 # failJSON: { "time": "2005-04-17T19:17:12", "match": true , "host": "192.0.2.4" }
 Apr 17 19:17:12 server imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:192.0.2.4]
+# failJSON: { "time": "2005-04-27T09:00:00", "match": true , "user": "tester", "host": "192.0.2.5" }
+Apr 27 09:00:00 servername imapd: LOGIN FAILED, user=tester, ip=[::ffff:192.0.2.5], port=[255]