Re: [Fail2ban-users] User user instead of ip

[Hochreiter Martin]

Can somebody give me a hint please why this isn't working?

[Definition]
failregex = ^.*sasl_username=(?:::f{4,6}:)?(?P<host>[\w\-.^_]+)$
ignoreregex =

Testsample
Apr 13 15:09:27 mailgw postfix/smtpd[13276]: setting up TLS connection from 
exchange1.fhstp.local[10.0.1.5]
Apr 13 15:09:27 mailgw postfix/smtpd[13276]: Anonymous TLS connection 
established from exchange1.fhstp.local[10.0.1.5]: TLSv1.2 with cipher 
AES256-GCM-SHA384 (256/256 bits)
Apr 13 15:09:27 mailgw postfix/smtpd[13276]: C247D2B: 
client=exchange1.fhstp.local[10.0.1.5], sasl_method=LOGIN, sasl_username=testy
Apr 13 15:09:27 mailgw postfix/cleanup[26465]: C247D2B: 
message-id=<aym71jka8r92wsh1u0jnxdr9.1492088914...@email.android.com>
Apr 13 15:09:27 mailgw postfix/qmgr[27240]: C247D2B: from=<bla....@bla.de>, 
size=2785449, nrcpt=1 (queue active)
Apr 13 15:09:27 mailgw postfix/smtpd[13276]: disconnect from 
exchange1.fhstp.local[10.0.1.5]

Von: Greg Martin [mailto:outlook_1a88585fca97a...@outlook.com] Im Auftrag von 
Greg Martin
Gesendet: Donnerstag, 13. April 2017 14:13
An: Hochreiter Martin <martin.hochrei...@fhstp.ac.at>; 
fail2ban-users@lists.sourceforge.net
Betreff: RE: User user instead of ip


Of course. You said it all - craft the filter and the external command and you 
are all set. One of the beauties of this tool.

\\Greg<file://Greg>


From: Hochreiter Martin<mailto:martin.hochrei...@fhstp.ac.at>
Sent: Thursday, April 13, 2017 5:11 AM
To: 
fail2ban-users@lists.sourceforge.net<mailto:fail2ban-users@lists.sourceforge.net>
Subject: [Fail2ban-users] User user instead of ip

Hi!

Can I configure fail2ban to scan for usernames instead of ips?

What for?
Well, we scan for very high amounts of  (successful) sasl user authentications 
in a short time
(indication for misusage) and block the user on the active directory  ... but 
not as good as fail2ban does this with ips

So, if I write a filter that filters for usernames and a custom action with an 
external command - is this possible?

Regards
Martin


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users