Bug#979423: fail2ban: Dovecot's submission default logging errors are not handled

Wed, 06 Jan 2021 07:09:16 -0800 

Package: fail2ban
Version: 0.10.2-2.1
Severity: normal
Tags: patch
X-Debbugs-Cc: fpoul...@metrodore.fr

Dear Maintainer,

I am using Dovecot's submission system, which is not the more famous way
of using dovecot.

It appears that the fail2ban's dovecot filter doesn't handle
submission's logging format (fail2ban and dovecot, released with buster).

The latter looks like:
janv. 06 14:53:12 mx1 dovecot[21994]: submission-login: Remote closed 
connection (auth failed, 1 attempts in 7 secs): ...

Rather than:
Jan  5 16:43:55 mx1 dovecot: imap-login: Disconnected (auth failed, 3 attempts 
in 14 secs): ...


I locally fixed it by trivially altering the fail2ban dovecot filter:

diff --git a/fail2ban/filter.d/dovecot.conf b/fail2ban/filter.d/dovecot.conf
index 2019a16..71df301 100644
--- a/fail2ban/filter.d/dovecot.conf
+++ b/fail2ban/filter.d/dovecot.conf
@@ -10,10 +10,10 @@ before = common.conf
 _auth_worker = (?:dovecot: )?auth(?:-worker)?
 _daemon = (?:dovecot(?:-auth)?|auth)

-prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?: 
)?(?:%(__pam_auth)s(?:\(dovecot:auth\))?: |(?:pop3|imap)-login: )?(?:Info: 
)?<F-CONTENT>.+</F-CONTENT>$
+prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?: 
)?(?:%(__pam_auth)s(?:\(dovecot:auth\))?: |(?:pop3|imap|submission)-login: 
)?(?:Info: )?<F-CONTENT>.+</F-CONTENT>$

 failregex = ^authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot 
ruser=\S* rhost=<HOST>(?:\s+user=\S*)?\s*$
-            ^(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth 
failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ 
auth)\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, 
session=<\S+>)?)\s*$
+            ^(?:Aborted login|Disconnected|Remote closed connection)(?::(?: [^ 
\(]+)+)? \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use 
(?:disabled|disallowed) \S+ auth)\):(?: user=<[^>]*>,)?(?: method=\S+,)? 
rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
             ^pam\(\S+,<HOST>(?:,\S*)?\): pam_authenticate\(\) failed: (?:User 
not known to the underlying authentication module: \d+ Time\(s\)|Authentication 
failure \(password mismatch\?\)|Permission denied)\s*$
             ^[a-z\-]{3,15}\(\S*,<HOST>(?:,\S*)?\): (?:unknown user|invalid 
credentials)\s*$
             <mdre-<mode>>

Best regards.
François

-- System Information:
Debian Release: buster

Reply via email to