From 4765bc757c5d651bd5fc556890d21b6a6b01f649 Mon Sep 17 00:00:00 2001 From: Ivo Truxa Date: Tue, 14 Jan 2014 17:59:40 +0100 Subject: [PATCH 1/2] BF Dovecot auth failures I am sorry, I installed the Win GIT, but still did not learn how to work with it, so am posting here again. This time, I'll avoid posting two pull requests, so please fix the dovecot.filter for me, if you don't mind. This current filter does not match authentication errors in my Dovecot logs (two different lines attached). First of all the session string is at the end (after the optional TLS string), and not before it as it is now in the filter. I don't see it anywhere in the other logs here in the opposite order, hence I assume it is the rule for all installations. And then, the session ID can include also other characters than those matched by \w+ (i.e. the slash and the plus signs in my case), hence it needs to be \S+ instead. Personally, I'd do the regex much less restrictive than it is, but if I follow the current logics, the following form works: 
^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use disabled \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HO
ST>, lip=(\d{1,3}\.){3}\d{1,3}(, TLS( handshaking)?(: Disconnected)?)?(, session=<\S+>)?\s*$
--- testcases/files/logs/dovecot | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/testcases/files/logs/dovecot b/testcases/files/logs/dovecot index aa79e65a..b9ca50f9 100644 --- a/testcases/files/logs/dovecot +++ b/testcases/files/logs/dovecot @@ -42,3 +42,9 @@ Jul 02 13:49:32 hostname dovecot[442]: dovecot: auth(default): pam(account@MYSER # failJSON: { "time": "2005-04-19T05:22:20", "match": true , "host": "80.255.3.104" } Apr 19 05:22:20 vm5 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=informix rhost=80.255.3.104 + +# failJSON: { "time": "2014-01-13T20:51:05", "match": true , "host": "1.2.3.4" } +Jan 13 20:51:05 valhalla dovecot: pop3-login: Disconnected: Inactivity (auth failed, 1 attempts in 178 secs): user=, method=PLAIN, rip=1.2.3.4, lip=1.1.2.2, session=<6brQWt/vCADDhP/+> +# failJSON: { "time": "2014-01-14T15:54:30", "match": true , "host": "1.2.3.4" } +Jan 14 15:54:30 valhalla dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 2 secs): user=, method=PLAIN, rip=1.2.3.4, lip=1.1.2.2, TLS: Disconnected, session= + From 657da2041c1191fb21d6f70e17298f3216f925cd Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Wed, 15 Jan 2014 08:02:47 +1100 Subject: [PATCH 2/2] BF: dovecot filters, session characters and order of session/tls in log messages --- ChangeLog | 2 ++ config/filter.d/dovecot.conf | 2 +- testcases/files/logs/dovecot | 4 ++-- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index aebfa829..c0b97c85 100644 --- a/ChangeLog +++ b/ChangeLog @@ -33,6 +33,8 @@ ver. 0.8.12 (2013/12/XX) - things-can-only-get-better send. This ensures that all data is sent before closing the connection. - Removed unnecessary reference to as yet undeclared $jail_name when checking a specific jail. + - Filter dovecot reordered session and TLS items in regex with wider scope + for session characters. Thanks Ivo Truxa. Closes gh-586 - Enhancements: - added firewallcmd-ipset action diff --git a/config/filter.d/dovecot.conf b/config/filter.d/dovecot.conf index a51ce259..c4ce7d7c 100644 --- a/config/filter.d/dovecot.conf +++ b/config/filter.d/dovecot.conf @@ -10,7 +10,7 @@ before = common.conf _daemon = (auth|dovecot(-auth)?|auth-worker) failregex = ^%(__prefix_line)s(pam_unix(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=(\s+user=\S*)?\s*$ - ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=, lip=(\d{1,3}\.){3}\d{1,3}(, session=<\w+>)?(, TLS( handshaking)?(: Disconnected)?)?\s*$ + ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=, lip=(\d{1,3}\.){3}\d{1,3}(, TLS( handshaking)?(: Disconnected)?)?(, session=<\S+>)?\s*$ ^%(__prefix_line)s(Info|dovecot: auth\(default\)): pam\(\S+,\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$ ignoreregex = diff --git a/testcases/files/logs/dovecot b/testcases/files/logs/dovecot index b9ca50f9..5fe89c56 100644 --- a/testcases/files/logs/dovecot +++ b/testcases/files/logs/dovecot @@ -43,8 +43,8 @@ Jul 02 13:49:32 hostname dovecot[442]: dovecot: auth(default): pam(account@MYSER Apr 19 05:22:20 vm5 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=informix rhost=80.255.3.104 -# failJSON: { "time": "2014-01-13T20:51:05", "match": true , "host": "1.2.3.4" } +# failJSON: { "time": "2005-01-13T20:51:05", "match": true , "host": "1.2.3.4" } Jan 13 20:51:05 valhalla dovecot: pop3-login: Disconnected: Inactivity (auth failed, 1 attempts in 178 secs): user=, method=PLAIN, rip=1.2.3.4, lip=1.1.2.2, session=<6brQWt/vCADDhP/+> -# failJSON: { "time": "2014-01-14T15:54:30", "match": true , "host": "1.2.3.4" } +# failJSON: { "time": "2005-01-14T15:54:30", "match": true , "host": "1.2.3.4" } Jan 14 15:54:30 valhalla dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 2 secs): user=, method=PLAIN, rip=1.2.3.4, lip=1.1.2.2, TLS: Disconnected, session=