Merge branch 'dovecot' of https://github.com/grooverdan/fail2ban

* 'dovecot' of https://github.com/grooverdan/fail2ban: ENH: remove non-capturing groups for readibility BF: fix dovecot filter for when no TLS is enabled on pop/imap Conflicts: ChangeLog -- changelog entries. Also untabified few other spots
2013-07-02 10:12:51 -04:00 · 2013-07-02 10:12:51 -04:00 · e6ebcf6687
parent f0f237fa05 e6823149a1
commit e6ebcf6687
4 changed files with 7 additions and 3 deletions
--- a/4
+++ b/4
@ -15,6 +15,8 @@ ver. 0.8.11 (2013/XX/XXX) - wanna-be-released
   * filter.d/common.conf -- make colon after [daemon] optional. Closes gh-267
   * filter.d/apache-common.conf -- support apache 2.4 more detailed error
     log format.  Closes gh-268
+  Daniel Black & Мернов Георгий
+   * filter.d/dovecot.conf -- Fix when no TLS enabled - line doesn't end in ,
 - New Features:
  Daniel Black & ykimon
   * filter.d/3proxy.conf -- filter added
@ -26,7 +28,7 @@ ver. 0.8.11 (2013/XX/XXX) - wanna-be-released
   * filter.d/exim.conf -- regex hardening and extra failure examples in
     sample logs
  Daniel Black & Sebastian Arcus
-	 * filter.d/asterisk -- more regexes
+   * filter.d/asterisk -- more regexes
  Yaroslav Halchenko
   * fail2ban-regex -- refactored to provide more details (missing and
     ignored lines, control over logging, etc) while maintaining look&feel
--- a/1
+++ b/1
@ -33,6 +33,7 @@ Mark Edgington
 Markus Hoffmann
 Marvin Rouge
 mEDI
+Мернов Георгий
 Michael C. Haller
 Michael Hanselmann
 NickMunger
--- a/config/filter.d/dovecot.conf
+++ b/config/filter.d/dovecot.conf
@ -16,8 +16,8 @@ _daemon = dovecot(-auth)?
 #          first regex is essentially a copy of pam-generic.conf
 # Values:  TEXT
 #
-failregex = ^%(__prefix_line)s(pam_unix(?:\(\S+\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$
-            ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \((no auth attempts|auth failed, \d+ attempts|tried to use disabled \S+ auth)\):( user=<\S+>,)?( method=\S+,)? rip=<HOST>, lip=(\d{1,3}\.){3}\d{1,3},( TLS( handshaking)?(: Disconnected)?)?\s*$
+failregex = ^%(__prefix_line)s(pam_unix(\(\S+\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$
+            ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \((no auth attempts|auth failed, \d+ attempts|tried to use disabled \S+ auth)\):( user=<\S+>,)?( method=\S+,)? rip=<HOST>, lip=(\d{1,3}\.){3}\d{1,3}(, TLS( handshaking)?(: Disconnected)?)?\s*$

 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
--- a/testcases/files/logs/dovecot
+++ b/testcases/files/logs/dovecot
@ -12,4 +12,5 @@ Jun 14 00:48:21 platypus dovecot: imap-login: Disconnected (auth failed, 1 attem
 Jun 13 20:48:11 platypus dovecot: pop3-login: Disconnected (no auth attempts): rip=121.44.24.254, lip=113.212.99.194, TLS: Disconnected
 Jun 13 21:48:06 platypus dovecot: pop3-login: Disconnected: Inactivity (no auth attempts): rip=180.200.180.81, lip=113.212.99.194, TLS
 Jun 13 20:20:21 platypus dovecot: imap-login: Disconnected (no auth attempts): rip=180.189.168.166, lip=113.212.99.194, TLS handshaking: Disconnected
+Jun 23 00:52:43 vhost1-ua dovecot: pop3-login: Disconnected: Inactivity (auth failed, 1 attempts): user=<info>, method=PLAIN, rip=193.95.245.163, lip=176.214.13.210