595ee7ed74
add submission
2020-11-23 17:42:12 +01:00
0c12cb7970
add managesieve support dovecot filter
2020-11-23 17:42:11 +01:00
8fe07e29ad
filter.d/dovecot.conf: failregex enhancement to catch disconnected with "proxy dest auth failed";
...
closes gh-2184
2018-07-17 15:06:42 +02:00
6f1e789f31
dovecot: collect F-USER and variants
...
We are prefering ruser= if availble because this are credentials
presented to dovecot from remote client.
2018-06-30 16:16:03 +02:00
a923cd209b
`filter.d/dovecot.conf`: failregex enhancement to catch sql password mismatch errors;
2018-06-11 14:30:10 +02:00
e71f16f6ba
Merge branch 'master' into 0.10
...
# Conflicts resolved:
# config/filter.d/dovecot.conf
2017-10-04 09:57:18 +02:00
ea36e1b3fc
filter.d/dovecot.conf: fixed failregex to recognize pam_authenticate failures with "Permission denied" (gh-1897)
2017-10-04 09:55:37 +02:00
c312962029
filter.d/dovecot.conf: partially cherry-pick to 0.9 PR #1880 from sebres/0.10-fix-dovecot-regex ( d926e11a5c)
...
fixed failregex (without new mode aggressive)
2017-09-01 10:57:41 +02:00
2cfc53c08e
remove capturing groups
2017-09-01 10:25:09 +02:00
9b8563f35e
- fixes regex for message `imap-login: Disconnected (auth failed, X attempts) ...` has to many variations on additional info after `<HOST>`,
...
leave it end-anchored because variable part `user=<[^>]*>` (before `<HOST>`) to avoid injecting, but can be safe rewritten using `[^>]*` in opposite to "greedy" `user=<[^>]*>`.
- introduces mode `aggressive` and extends regex for this mode to match:
* no auth attempts (previously removed in gh-601, because of lots of false positives on misconfigured MTAs)
* disconnected before auth was ready
* client didn't finish SASL auth
2017-09-01 09:56:21 +02:00
2fe1479484
Merge branch '_0.9/gh-1849' into 0.10
2017-08-07 18:07:36 +02:00
5c538fb658
Recognize "unknown user" for additional auth-methods (pam, passwd-file, ldap, sql, etc); simplifying regular expressions (put "unknown user" and "invalid credentials" together as one regex).
2017-08-07 18:04:09 +02:00
bbea73d79d
Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10
2017-06-12 13:11:45 +02:00
b93e47b12f
dovecot: Match also when user field is empty
...
Commit 5678d08
2017-05-31 15:54:30 +02:00
22afdbd536
Several filters optimized with pre-filtering using new option `prefregex`
2017-02-21 15:54:59 +01:00
c9f32f75e6
Merge branch '0.9-fix-regex-using-journal' into 0.10-fix-regex-using-journal (merge point against 0.9 after back-porting gh-1660 from 0.10)
2017-01-10 11:25:41 +01:00
5678d08a79
filter.d/dovecot.conf update:
...
- fixes failregex, that ignores failures through some irrelevant info (closes #1623 );
- ignores whole additionally irrelevant info in anchored regex before fixed failure data `\((?:auth failed, \d+ attempts( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\)`
- review, IPv6 compatibility fix, non-capturing groups
2016-11-26 16:50:37 +01:00
ae7297e16b
more precise date template handling (WARNING: this commit creates possible incompatibilities):
...
- datedetector rewritten more strict as earlier;
- default templates can be specified exacter using prefix/suffix syntax (via `datepattern`);
- more as one date pattern can be specified using option `datepattern` now (new-line separated);
- some default options like `datepattern` can be specified directly in section `[Definition]`, that avoids contrary usage of unnecessarily `[Init]` section, because of performance (each extra section costs time);
- option `datepattern` can be specified in jail also (jails without filters);
- if first group specified, only this will be cut out from search log-line (e. g.: `^date:[({DATE})]` will cut out only datetime match pattern, and leaves `date:[] failure ip...` for searching in filter);
- faster match and fewer searching of appropriate templates (DateDetector.matchTime calls rarer DateTemplate.matchDate now);
- standard filters extended with exact prefixed or anchored date templates;
template cache introduced (in opposition to default template cache, holds custom templates cached by pattern for possible common usage of same template/regex);
2016-10-17 11:20:27 +02:00
cf2aa9c1c0
Added regex for LDAP authentication failures
2016-03-21 05:53:23 +00:00
56e5821c06
Match unknown user in dovecot's passwd-file auth database
2015-04-30 16:53:10 +08:00
df581fe6e2
Merge pull request #929 from opoplawski/pam_auth
...
Add filter variable __pam_auth to allow customize for setups with multiple authorization schemes (Close #928 )
2015-02-02 21:42:10 -05:00
b4776a1ba0
Match dovecot unknown user line
2015-01-29 09:37:37 -07:00
3bc92610f7
Add dovecot auth failure from EL7
2015-01-29 09:11:59 -07:00
79b5a2617f
Add filter variable __pam_auth to allow easier changing of pam auth backend
2015-01-27 14:34:27 -07:00
1695d5c076
Fix a few typos
...
Found with https://github.com/lucasdemarchi/codespell
Signed-off-by: Ruben Kerkhof <ruben@rubenkerkhof.com>
2014-03-24 13:16:52 +00:00
59b9045e88
MRG: from master 2014-02-02
2014-02-02 13:21:16 +11:00
273b2f45a3
MRG: remove the "no auth attempts" as per aseques gh-600
2014-01-29 20:43:51 +11:00
9b614ce486
ENH: dovecot filter enhancements
2014-01-29 20:27:45 +11:00
84617fa6da
Fixed a failing case
2014-01-28 16:19:35 +01:00
08171ba52f
Removed the -no auth attempts- from the triggers because of lots of FP
2014-01-28 12:44:46 +01:00
a650178bd1
MRG: merge from master 2014-01-19
2014-01-19 14:48:29 +11:00
657da2041c
BF: dovecot filters, session characters and order of session/tls in log messages
2014-01-15 08:02:47 +11:00
1ac7b53cad
MRG: merge from master
2013-11-13 09:16:45 +11:00
e55b24c533
BF: fix dovecot filter for newer failure message. Closes Debian bug #709324
2013-11-06 12:51:21 +11:00
47d35c9d80
MRG: 0.8.11 to 0.9
...
Epnoc of selinux is now true UTC
Merge multiline support and date detection in filter
2013-11-02 15:59:05 +11:00
89fd792dfb
DOC: in filters, put user relevant doc at top, and developer info at bottom, and remove all the repetative blindly copied stuff that appears in the jail man page
2013-10-31 00:02:59 +11:00
cde389cadc
ENH: additional tweek to dovecot regex based on http://chrisgilligan.com/portfolio/fail2ban-regex/
2013-10-29 10:15:54 +11:00
eb59a57b7f
ENH: tighten pam_unix expression for dovecot
2013-10-09 14:54:36 +11:00
864d2f41b9
ENH: auth-worker as per of _daemon definition for dovecot
2013-10-09 14:52:17 +11:00
d60f470096
ENH: added to dovecot filter. closes gh-325
2013-10-09 10:09:06 +11:00
89e0520675
ENH: dovecot regex to match failure reported by Bob Cohen on mailing list
2013-09-19 08:25:50 +10:00
1eea0dcec8
Merge branch 'master' into 0.9
...
Conflicts:
ChangeLog
bin/fail2ban-regex
bin/fail2ban-testcases
config/jail.conf
fail2ban/server/failregex.py
fail2ban/server/filter.py
fail2ban/tests/files/logs/lighttpd
fail2ban/tests/files/logs/mysqld.log
fail2ban/tests/files/logs/wu-ftpd
fail2ban/tests/filtertestcase.py
fail2ban/tests/utils.py
testcases/files/logs/lighttpd
testcases/files/logs/lighttpd-auth
testcases/files/logs/mysqld-auth
testcases/files/logs/mysqld.log
testcases/files/logs/wu-ftpd
testcases/files/logs/wuftpd
2013-07-16 23:16:22 +01:00
bfa2b9dec3
ENH: dovecot filter additions for session, time value and blank user
2013-07-05 18:36:02 +01:00
e6823149a1
ENH: remove non-capturing groups for readibility
2013-07-02 20:16:43 +10:00
3b76fc79f9
BF: fix dovecot filter for when no TLS is enabled on pop/imap
2013-07-01 21:12:51 +10:00
5ca6a9aeb6
Merge branch 'systemd-journal' into 0.9
...
Conflicts:
bin/fail2ban-regex
config/filter.d/sshd.conf
Closes github #224
2013-06-29 13:00:40 +01:00
dbe7ffe050
ENH: dovecot regexs rewritten and extra failures
2013-06-13 23:52:15 +10:00
f7d328195f
NF: Add systemd journal backend
2013-05-10 00:15:07 +01:00
495f2dd877
DOC: purge of svn tags
2013-05-03 16:03:38 +10:00
3969e3f77b
ENH: dovecot.conf - require space(s) before rip/rhost log entry
2012-12-12 09:16:52 -05:00
mpoliwczak834