Commit Graph

54 Commits (5cbc26240640c9caed454ad6d3d7145072867717)

Author SHA1 Message Date
sebres 8fe07e29ad filter.d/dovecot.conf: failregex enhancement to catch disconnected with "proxy dest auth failed";
closes gh-2184
2018-07-17 15:06:42 +02:00
Dobrica Pavlinusic 6f1e789f31 dovecot: collect F-USER and variants
We are prefering ruser= if availble because this are credentials
presented to dovecot from remote client.
2018-06-30 16:16:03 +02:00
Boris Gulay a923cd209b `filter.d/dovecot.conf`: failregex enhancement to catch sql password mismatch errors; 2018-06-11 14:30:10 +02:00
sebres e71f16f6ba Merge branch 'master' into 0.10
# Conflicts resolved:
#	config/filter.d/dovecot.conf
2017-10-04 09:57:18 +02:00
sebres ea36e1b3fc filter.d/dovecot.conf: fixed failregex to recognize pam_authenticate failures with "Permission denied" (gh-1897) 2017-10-04 09:55:37 +02:00
sebres c312962029 filter.d/dovecot.conf: partially cherry-pick to 0.9 PR #1880 from sebres/0.10-fix-dovecot-regex (d926e11a5c)
fixed failregex (without new mode aggressive)
2017-09-01 10:57:41 +02:00
sebres 2cfc53c08e remove capturing groups 2017-09-01 10:25:09 +02:00
sebres 9b8563f35e - fixes regex for message `imap-login: Disconnected (auth failed, X attempts) ...` has to many variations on additional info after `<HOST>`,
leave it end-anchored because variable part `user=<[^>]*>` (before `<HOST>`) to avoid injecting, but can be safe rewritten using `[^>]*` in opposite to "greedy" `user=<[^>]*>`.
- introduces mode `aggressive` and extends regex for this mode to match:
  * no auth attempts (previously removed in gh-601, because of lots of false positives on misconfigured MTAs)
  * disconnected before auth was ready
  * client didn't finish SASL auth
2017-09-01 09:56:21 +02:00
sebres 2fe1479484 Merge branch '_0.9/gh-1849' into 0.10 2017-08-07 18:07:36 +02:00
sebres 5c538fb658 Recognize "unknown user" for additional auth-methods (pam, passwd-file, ldap, sql, etc); simplifying regular expressions (put "unknown user" and "invalid credentials" together as one regex). 2017-08-07 18:04:09 +02:00
sebres bbea73d79d Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10 2017-06-12 13:11:45 +02:00
Peter Nowee b93e47b12f
dovecot: Match also when user field is empty
Commit 5678d08 of 2016-11-26 changed:

    ( user=<\S*>,)?

to:

    ( user=<[^>]+>,)?

The change from `*` (zero or more times) to `+` (one or more times) may
not have been intended. It will miss lines containing, for example:

    Aborted login (tried to use disallowed plaintext auth): user=<>

This commit reverts the `+` back to `*`.
2017-05-31 15:54:30 +02:00
sebres 22afdbd536 Several filters optimized with pre-filtering using new option `prefregex` 2017-02-21 15:54:59 +01:00
sebres c9f32f75e6 Merge branch '0.9-fix-regex-using-journal' into 0.10-fix-regex-using-journal (merge point against 0.9 after back-porting gh-1660 from 0.10) 2017-01-10 11:25:41 +01:00
sebres 5678d08a79 filter.d/dovecot.conf update:
- fixes failregex, that ignores failures through some irrelevant info (closes #1623);
- ignores whole additionally irrelevant info in anchored regex before fixed failure data `\((?:auth failed, \d+ attempts( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\)`
- review, IPv6 compatibility fix, non-capturing groups
2016-11-26 16:50:37 +01:00
sebres ae7297e16b more precise date template handling (WARNING: this commit creates possible incompatibilities):
- datedetector rewritten more strict as earlier;
  - default templates can be specified exacter using prefix/suffix syntax (via `datepattern`);
  - more as one date pattern can be specified using option `datepattern` now (new-line separated);
  - some default options like `datepattern` can be specified directly in section `[Definition]`, that avoids contrary usage of unnecessarily `[Init]` section, because of performance (each extra section costs time);
  - option `datepattern` can be specified in jail also (jails without filters);
  - if first group specified, only this will be cut out from search log-line (e. g.: `^date:[({DATE})]` will cut out only datetime match pattern, and leaves `date:[] failure ip...` for searching in filter);
  - faster match and fewer searching of appropriate templates (DateDetector.matchTime calls rarer DateTemplate.matchDate now);
  - standard filters extended with exact prefixed or anchored date templates;

template cache introduced (in opposition to default template cache, holds custom templates cached by pattern for possible common usage of same template/regex);
2016-10-17 11:20:27 +02:00
theDogOfPavlov cf2aa9c1c0 Added regex for LDAP authentication failures 2016-03-21 05:53:23 +00:00
Anton Shestakov 56e5821c06 Match unknown user in dovecot's passwd-file auth database 2015-04-30 16:53:10 +08:00
Yaroslav Halchenko df581fe6e2 Merge pull request #929 from opoplawski/pam_auth
Add filter variable __pam_auth to allow customize for setups with multiple authorization schemes (Close #928)
2015-02-02 21:42:10 -05:00
Orion Poplawski b4776a1ba0 Match dovecot unknown user line 2015-01-29 09:37:37 -07:00
Orion Poplawski 3bc92610f7 Add dovecot auth failure from EL7 2015-01-29 09:11:59 -07:00
Orion Poplawski 79b5a2617f Add filter variable __pam_auth to allow easier changing of pam auth backend 2015-01-27 14:34:27 -07:00
Ruben Kerkhof 1695d5c076 Fix a few typos
Found with https://github.com/lucasdemarchi/codespell

Signed-off-by: Ruben Kerkhof <ruben@rubenkerkhof.com>
2014-03-24 13:16:52 +00:00
Daniel Black 59b9045e88 MRG: from master 2014-02-02 2014-02-02 13:21:16 +11:00
Daniel Black 273b2f45a3 MRG: remove the "no auth attempts" as per aseques gh-600 2014-01-29 20:43:51 +11:00
Daniel Black 9b614ce486 ENH: dovecot filter enhancements 2014-01-29 20:27:45 +11:00
Joan 84617fa6da Fixed a failing case 2014-01-28 16:19:35 +01:00
Joan 08171ba52f Removed the -no auth attempts- from the triggers because of lots of FP 2014-01-28 12:44:46 +01:00
Daniel Black a650178bd1 MRG: merge from master 2014-01-19 2014-01-19 14:48:29 +11:00
Daniel Black 657da2041c BF: dovecot filters, session characters and order of session/tls in log messages 2014-01-15 08:02:47 +11:00
Daniel Black 1ac7b53cad MRG: merge from master 2013-11-13 09:16:45 +11:00
Daniel Black e55b24c533 BF: fix dovecot filter for newer failure message. Closes Debian bug #709324 2013-11-06 12:51:21 +11:00
Daniel Black 47d35c9d80 MRG: 0.8.11 to 0.9
Epnoc of selinux is now true UTC

Merge multiline support and date detection in filter
2013-11-02 15:59:05 +11:00
Daniel Black 89fd792dfb DOC: in filters, put user relevant doc at top, and developer info at bottom, and remove all the repetative blindly copied stuff that appears in the jail man page 2013-10-31 00:02:59 +11:00
Daniel Black cde389cadc ENH: additional tweek to dovecot regex based on http://chrisgilligan.com/portfolio/fail2ban-regex/ 2013-10-29 10:15:54 +11:00
Daniel Black eb59a57b7f ENH: tighten pam_unix expression for dovecot 2013-10-09 14:54:36 +11:00
Daniel Black 864d2f41b9 ENH: auth-worker as per of _daemon definition for dovecot 2013-10-09 14:52:17 +11:00
Daniel Black d60f470096 ENH: added to dovecot filter. closes gh-325 2013-10-09 10:09:06 +11:00
Daniel Black 89e0520675 ENH: dovecot regex to match failure reported by Bob Cohen on mailing list 2013-09-19 08:25:50 +10:00
Steven Hiscocks 1eea0dcec8 Merge branch 'master' into 0.9
Conflicts:
	ChangeLog
	bin/fail2ban-regex
	bin/fail2ban-testcases
	config/jail.conf
	fail2ban/server/failregex.py
	fail2ban/server/filter.py
	fail2ban/tests/files/logs/lighttpd
	fail2ban/tests/files/logs/mysqld.log
	fail2ban/tests/files/logs/wu-ftpd
	fail2ban/tests/filtertestcase.py
	fail2ban/tests/utils.py
	testcases/files/logs/lighttpd
	testcases/files/logs/lighttpd-auth
	testcases/files/logs/mysqld-auth
	testcases/files/logs/mysqld.log
	testcases/files/logs/wu-ftpd
	testcases/files/logs/wuftpd
2013-07-16 23:16:22 +01:00
Steven Hiscocks bfa2b9dec3 ENH: dovecot filter additions for session, time value and blank user 2013-07-05 18:36:02 +01:00
Daniel Black e6823149a1 ENH: remove non-capturing groups for readibility 2013-07-02 20:16:43 +10:00
Daniel Black 3b76fc79f9 BF: fix dovecot filter for when no TLS is enabled on pop/imap 2013-07-01 21:12:51 +10:00
Steven Hiscocks 5ca6a9aeb6 Merge branch 'systemd-journal' into 0.9
Conflicts:
	bin/fail2ban-regex
	config/filter.d/sshd.conf

Closes github #224
2013-06-29 13:00:40 +01:00
Daniel Black dbe7ffe050 ENH: dovecot regexs rewritten and extra failures 2013-06-13 23:52:15 +10:00
Steven Hiscocks f7d328195f NF: Add systemd journal backend 2013-05-10 00:15:07 +01:00
Daniel Black 495f2dd877 DOC: purge of svn tags 2013-05-03 16:03:38 +10:00
Yaroslav Halchenko 3969e3f77b ENH: dovecot.conf - require space(s) before rip/rhost log entry 2012-12-12 09:16:52 -05:00
hamilton5 266cdc29a6 Update config/filter.d/dovecot.conf
even tho not on the fail2ban site..
suggested to not be greedy by yarikoptic
2012-12-11 12:09:28 -05:00
hamilton5 e040c6d8a3 Update config/filter.d/dovecot.conf
site actually needs updated because of <HOST> alias 
per Notes above.
2012-12-11 03:26:14 -05:00