Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 23 Jul 2016 17:06:53 -0400
From:      pathiaki2 <pathiaki2@yahoo.com>
To:        freebsd-questions@freebsd.org
Subject:   Fail2ban python regex issue
Message-ID:  <1b35e652-1540-6eb3-9a6e-47a0cf4ce97a@yahoo.com>
next in thread | raw e-mail | index | archive | help 
Hi,

I'm extending fail2ban to catch things on FreeBSD.

Right now I'm looking at dovecot.

This is the standard file.

# Fail2Ban filter Dovecot authentication and pop3/imap server
#

[INCLUDES]

before = common.conf

[Definition]

_daemon = (auth|dovecot(-auth)?|auth-worker)

failregex = 
^%(__prefix_line)s(%(__pam_auth)s(\(dovecot:auth\))?:)?\s+authentication 
failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* 
rhost=<HOST>(\s+user=\S*)?\s*$
             ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted 
login|Disconnected)(: Inactivity)? \(((auth failed, \d+ attempts)( in 
\d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( 
user=<\S*>,)?( method=\S+,)? rip=<HOST>(, lip=(\d{1,3}\.){3}\d{1,3})?(, 
TLS( handshaking(: SSL_accept\(\) failed: error:[\dA-F]+:SSL 
routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: 
Disconnected)?)?(, session=<\S+>)?\s*$
             ^%(__prefix_line)s(Info|dovecot: 
auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\): 
pam_authenticate\(\) failed: (User not known to the underlying 
authentication module: \d+ Time\(s\)|Authentication failure \(password 
mismatch\?\))\s*$
             ^%(__prefix_line)s(auth|auth-worker\(\d+\)): 
(pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$
             ^%(__prefix_line)s(auth|auth-worker\(\d+\)): Info: 
ldap\(\S*,<HOST>,\S*\): invalid credentials\s*$

ignoreregex =

[Init]

journalmatch = _SYSTEMD_UNIT=dovecot.service

I have a line I want to match.  However, every python interpreter that I 
hit says this works....  However, fail2ban doesn't catch the line.

The line:

Jul 23 00:02:48 <machine FQDN> dovecot: auth: 
ldap(valeria,91.200.12.148): unknown user (SHA1 of given password: 
e557ee1b78fd6978af5ea1f614597f79dc13c40e)

I'm trying this:

^%(__prefix_line)s(: auth: ldap\(\S+,<HOST>\):) unknown user\s*$

What am I missing?  There's no error with the interpreter, it's just not 
matching the line.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1b35e652-1540-6eb3-9a6e-47a0cf4ce97a>