LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 05-31-2009, 03:29 PM   #1
kevinslair
LQ Newbie
 
Registered: May 2009
Location: Binghamton, NY
Distribution: FC9, FC10, FC11 beta
Posts: 17

Rep: Reputation: 0
Fail2ban and Dovecot Regex


Hi, there!
My name is Kevin and I'm new to LQ.

I hope this is the right forum for this question.

I would like help to create my own regex for dovecot and such using fail2ban. It seems like everything I do is wrong with the check:

Code:
/usr/bin/fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/dovecot.conf
This one works:

Code:
failregex = pam.*dovecot.*(?:authentication failure).*rhost=(?:::f{4,6}:)?(?P<host>\S*)
What I am trying to accomplish is when someone aborts the login like this:

Code:
dovecot: May 31 09:43:57 Info: pop3-login: Aborted login (1 authentication attempts): user=<horseshit>, method=PLAIN, rip=::ffff:xxx.xxx.xxx.xxx, lip=::ffff:xxx.xxx.xxx.xxx, secured
That's the actual log minus the ip's.

I would like to nip this in the bud but don't get how regex works. If someone could help explain how to create my own regex that would be cool.

Thanks!!!!
Kevin
 
Old 05-31-2009, 05:36 PM   #2
AlucardZero
Senior Member
 
Registered: May 2006
Location: USA
Distribution: Debian
Posts: 4,824

Rep: Reputation: 615Reputation: 615Reputation: 615Reputation: 615Reputation: 615Reputation: 615
http://www.regular-expressions.info/
 
Old 05-31-2009, 05:51 PM   #3
kevinslair
LQ Newbie
 
Registered: May 2009
Location: Binghamton, NY
Distribution: FC9, FC10, FC11 beta
Posts: 17

Original Poster
Rep: Reputation: 0
Thank you for the reply

Thanks for the reply. I have checked out that page and it looks interesting.

Here is the code so far:

Code:
Aborted Login|Disconnected (.*).*rip=<HOST>,

I am getting the error here when I run the self check:

Code:
Found a match for 'dovec Info: pop3-login: Disconnected: Inactivity: user=<mom>, method=PLAIN, rip=::ffff:xxx.xxx.xxx.xxx, lip=::ffff:xxx.xxx.xxx.xxx, secured
' but no valid date/time found for 'ot: May 31 18:41:13'. Please contact the author in order to get support for this format

I used dovecot: pam.*(?:

it still didn't work. I looked it up online and people are using it.

Thanks,
Kevin
 
Old 05-31-2009, 08:19 PM   #4
kevinslair
LQ Newbie
 
Registered: May 2009
Location: Binghamton, NY
Distribution: FC9, FC10, FC11 beta
Posts: 17

Original Poster
Rep: Reputation: 0
I got it to work.
Thank you !!!!

In order to get rid of the "dovecot:" in the beginning of the log file you have to put a # in front of log_path and and info_log_path then the default is /var/log/maillog which won't have the dovecot: in front of the timestamp.

I use both:
/var/log/secure and /var/log/maillog in the jail.conf file:

Code:
[dovecot-secure]

enabled = true
filter = dovecot
action = iptables-multiport[name=dovecot, port="smtp,pop3,imap", protocol=tcp]
         sendmail-whois[name=Dovecot-Secure, dest=you@yourdomain.com]
logpath = /var/log/secure
maxretry = 2 
findtime = 600
# Ban time is in seconds. 60 * 60 = 3600 seconds = 1hr. * 2 = 7200 seconds
bantime = 7200

[dovecot-maillog]

enabled = true
filter = dovecot
action = iptables-multiport[name=dovecot-maillog, port="smtp,pop3,imap", protocol=tcp]
          sendmail-whois[name=Dovecot-Maillog, dest=you@yourdomain.com]
logpath = /var/log/maillog
maxretry = 2 
findtime = 600
# Ban time is in seconds. 60 * 60 = 3600 seconds = 1hr. * 2 = 7200 seconds
bantime = 7200

and for the dovecot-secure.conf file:

Code:
[Definition]
# to test set up use this
# /usr/bin/fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/dovecot.conf

failregex =  (?: authentication failure).*rhost=(?:::f{4,6}:)?(?P<host>\S*)

ignoreregex =
Here is the code for the dovecot-maillog.conf:

Code:
[Definition]
# to test set up use this
# /usr/bin/fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/dovecot.conf

failregex =  (?: Authentication failure|Aborted login|Disconnected).*rip=(?:::f{4,6}:)?(?P<host>\S*),.*

ignoreregex = (?: Disconnected: Logged out).*
If there are any other pop3, imap or smtp problems I will come back and let you know.

Thanks,
Kevin

Last edited by kevinslair; 06-01-2009 at 08:18 AM. Reason: took out my email address
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Fail2ban, is it working? SuperDude123 Linux - Security 7 02-17-2009 09:09 PM
Need help with fail2ban regex jakev383 Linux - Security 6 12-07-2008 09:35 AM
Fail2ban and Firestarter baldur2630 Linux - Software 2 09-29-2008 05:46 AM
regex with sed to process file, need help on regex dwynter Linux - Newbie 5 08-31-2007 05:10 AM
Fail2Ban Question nomb Debian 0 05-21-2007 07:28 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 01:16 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration