github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity
2,604 Commits
34 Branches
229 Tags
21 MiB
Commit Graph

22 Commits (f86ec8020f272811cd7c181ebc510929587caa99)

Author SHA1 Message Date
Daniel Black 273b2f45a3 MRG: remove the "no auth attempts" as per aseques gh-600 2014-01-29 20:43:51 +11:00
Daniel Black 9b614ce486 ENH: dovecot filter enhancements 2014-01-29 20:27:45 +11:00
Joan 9c6aab37d6 As suggested by @grooverdan, grouping the tests and making them false to avoid accidentally reenabling them in the future 2014-01-29 08:32:14 +01:00
Joan aaa86cd10f As suggested by @grooverdan, grouping the tests and making them false to avoid accidentally reenabling them in the future 2014-01-29 08:31:29 +01:00
Joan 08171ba52f Removed the -no auth attempts- from the triggers because of lots of FP 2014-01-28 12:44:46 +01:00
Daniel Black 657da2041c BF: dovecot filters, session characters and order of session/tls in log messages 2014-01-15 08:02:47 +11:00
Ivo Truxa 4765bc757c BF Dovecot auth failures 
I am sorry, I installed the Win GIT, but still did not learn how to work with it, so am posting here again. This time, I'll avoid posting two pull requests, so please fix the dovecot.filter for me, if you don't mind.

This current filter does not match authentication errors in my Dovecot logs (two different lines attached). First of all the session string is at the end (after the optional TLS string), and not before it as it is now in the filter. I don't see it anywhere in the other logs here in the opposite order, hence I assume it is the rule for all installations. And then, the session ID can include also other characters than those matched by \w+ (i.e. the slash and the plus signs in my case), hence it needs to be \S+ instead. Personally, I'd do the regex much less restrictive than it is, but if I follow the current logics, the following form works:

<pre>^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use disabled \S+ auth)\):( user=&lt;\S*&gt;,)?( method=\S+,)? rip=&lt;HO
ST&gt;, lip=(\d{1,3}\.){3}\d{1,3}(, TLS( handshaking)?(: Disconnected)?)?(, session=&lt;\S+&gt;)?\s*$</pre>
 2014-01-14 17:59:40 +01:00
Daniel Black e55b24c533 BF: fix dovecot filter for newer failure message. Closes Debian bug #709324 2013-11-06 12:51:21 +11:00
Daniel Black 7596b96d4f TST: fix date in test comparison for dovecot 2013-10-30 09:05:09 +11:00
Daniel Black cde389cadc ENH: additional tweek to dovecot regex based on http://chrisgilligan.com/portfolio/fail2ban-regex/ 2013-10-29 10:15:54 +11:00
Daniel Black d60f470096 ENH: added to dovecot filter. closes gh-325 2013-10-09 10:09:06 +11:00
Daniel Black 89e0520675 ENH: dovecot regex to match failure reported by Bob Cohen on mailing list 2013-09-19 08:25:50 +10:00
Steven Hiscocks 4855cae487 Merge branch 'sample-log-meta-data' 
Conflicts:
    testcases/files/logs/dovecot
 2013-07-14 18:29:36 +01:00
Steven Hiscocks 40f67c64b8 TST: Test sample logs' entries are matched by filter regexs 2013-07-13 23:03:01 +01:00
Steven Hiscocks bfa2b9dec3 ENH: dovecot filter additions for session, time value and blank user 2013-07-05 18:36:02 +01:00
Daniel Black 3b76fc79f9 BF: fix dovecot filter for when no TLS is enabled on pop/imap 2013-07-01 21:12:51 +10:00
Daniel Black e8b6acfa65 TST: attempts at injection with username=rhost=1.2.3.4 have no user= logged in dovecot-1.2.15 2013-06-14 00:53:03 +10:00
Daniel Black dbe7ffe050 ENH: dovecot regexs rewritten and extra failures 2013-06-13 23:52:15 +10:00
Yaroslav Halchenko 68c1defb76 ENH: added dovecot example from Daniel Black + example with DoS attempt via injected rhost 2012-12-12 09:16:27 -05:00
hamilton5 ccc62ddbf3 Update testcases/files/logs/dovecot 2012-12-11 12:05:01 -05:00
hamilton5 c534c1d03d Update testcases/files/logs/dovecot 2012-12-11 11:05:22 -05:00
Yaroslav Halchenko fceff2d5b9 moving log samples under testcases/files 2011-11-18 11:57:20 -05:00