Fail2ban and Dovecot Regex

kevinslair · 05-31-2009, 03:29 PM

Hi, there!
My name is Kevin and I'm new to LQ.

I hope this is the right forum for this question.

I would like help to create my own regex for dovecot and such using fail2ban. It seems like everything I do is wrong with the check:

Code:

/usr/bin/fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/dovecot.conf

This one works:

Code:

failregex = pam.*dovecot.*(?:authentication failure).*rhost=(?:::f{4,6}:)?(?P<host>\S*)

What I am trying to accomplish is when someone aborts the login like this:

Code:

dovecot: May 31 09:43:57 Info: pop3-login: Aborted login (1 authentication attempts): user=<horseshit>, method=PLAIN, rip=::ffff:xxx.xxx.xxx.xxx, lip=::ffff:xxx.xxx.xxx.xxx, secured

That's the actual log minus the ip's.

I would like to nip this in the bud but don't get how regex works. If someone could help explain how to create my own regex that would be cool.

Thanks!!!!
Kevin

AlucardZero · 05-31-2009, 05:36 PM

http://www.regular-expressions.info/

kevinslair · 05-31-2009, 05:51 PM

Thanks for the reply. I have checked out that page and it looks interesting.

Here is the code so far:

Code:

Aborted Login|Disconnected (.*).*rip=<HOST>,

I am getting the error here when I run the self check:

Code:

Found a match for 'dovec Info: pop3-login: Disconnected: Inactivity: user=<mom>, method=PLAIN, rip=::ffff:xxx.xxx.xxx.xxx, lip=::ffff:xxx.xxx.xxx.xxx, secured
' but no valid date/time found for 'ot: May 31 18:41:13'. Please contact the author in order to get support for this format

I used dovecot: pam.*(?:

it still didn't work. I looked it up online and people are using it.

Thanks,
Kevin

kevinslair · 05-31-2009, 08:19 PM

I got it to work.
Thank you !!!!

In order to get rid of the "dovecot:" in the beginning of the log file you have to put a # in front of log_path and and info_log_path then the default is /var/log/maillog which won't have the dovecot: in front of the timestamp.

I use both:
/var/log/secure and /var/log/maillog in the jail.conf file:

Code:

[dovecot-secure]

enabled = true
filter = dovecot
action = iptables-multiport[name=dovecot, port="smtp,pop3,imap", protocol=tcp]
         sendmail-whois[name=Dovecot-Secure, dest=you@yourdomain.com]
logpath = /var/log/secure
maxretry = 2 
findtime = 600
# Ban time is in seconds. 60 * 60 = 3600 seconds = 1hr. * 2 = 7200 seconds
bantime = 7200

[dovecot-maillog]

enabled = true
filter = dovecot
action = iptables-multiport[name=dovecot-maillog, port="smtp,pop3,imap", protocol=tcp]
          sendmail-whois[name=Dovecot-Maillog, dest=you@yourdomain.com]
logpath = /var/log/maillog
maxretry = 2 
findtime = 600
# Ban time is in seconds. 60 * 60 = 3600 seconds = 1hr. * 2 = 7200 seconds
bantime = 7200

and for the dovecot-secure.conf file:

Code:

[Definition]
# to test set up use this
# /usr/bin/fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/dovecot.conf

failregex =  (?: authentication failure).*rhost=(?:::f{4,6}:)?(?P<host>\S*)

ignoreregex =

Here is the code for the dovecot-maillog.conf:

Code:

[Definition]
# to test set up use this
# /usr/bin/fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/dovecot.conf

failregex =  (?: Authentication failure|Aborted login|Disconnected).*rip=(?:::f{4,6}:)?(?P<host>\S*),.*

ignoreregex = (?: Disconnected: Logged out).*

If there are any other pop3, imap or smtp problems I will come back and let you know.

Thanks,
Kevin