Ok, i have made it to get the regex working with fail2ban
Regex
^.*\[(?:::f{4,6}:)?(?P<host>\S+)\], sasl.*sasl_username=(?P<USER>\S+)$
Testlog
Apr 13 15:12:27 mailgw postfix/smtpd[13261]: D3D4A2B:
client=exchange1.fhstp.local[10.0.1.5], sasl_method=LOGIN, sasl_username=teSty
But .... How to tell fail2ban to count the user logins and not the host IP
entries?
_____________________
DI (FH) Martin Hochreiter
Fachverantwortlicher Systemadministration
IT und Infrastruktur
Fachhochschule St. Pölten GmbH
Matthias Corvinus-Straße 15, 3100 St. Pölten
T: +43 (0) 2742 313 228 - 215
M: +43 (0) 676 847 228 215
E: [email protected]<mailto:[email protected]>
I: www.fhstp.ac.at<http://www.fhstp.ac.at/>
FN 146616m, LG St. Pölten, DVR 1028669F
Von: Greg Martin [mailto:[email protected]] Im Auftrag von
Greg Martin
Gesendet: Freitag, 14. April 2017 14:12
An: Hochreiter Martin <[email protected]>
Betreff: RE: User user instead of ip
I plugged the regex into http://www.regexr.com/ and got an error starting at
the P ?(?P<
From: Hochreiter Martin<mailto:[email protected]>
Sent: Friday, April 14, 2017 2:17 AM
To:
[email protected]<mailto:[email protected]>
Subject: Re: [Fail2ban-users] User user instead of ip
Can somebody give me a hint please why this isn't working?
[Definition]
failregex = ^.*sasl_username=(?:::f{4,6}:)?(?P<host>[\w\-.^_]+)$
ignoreregex =
Testsample
Apr 13 15:09:27 mailgw postfix/smtpd[13276]: setting up TLS connection from
exchange1.fhstp.local[10.0.1.5]
Apr 13 15:09:27 mailgw postfix/smtpd[13276]: Anonymous TLS connection
established from exchange1.fhstp.local[10.0.1.5]: TLSv1.2 with cipher
AES256-GCM-SHA384 (256/256 bits)
Apr 13 15:09:27 mailgw postfix/smtpd[13276]: C247D2B:
client=exchange1.fhstp.local[10.0.1.5], sasl_method=LOGIN, sasl_username=testy
Apr 13 15:09:27 mailgw postfix/cleanup[26465]: C247D2B:
message-id=<[email protected]<mailto:[email protected]>>
Apr 13 15:09:27 mailgw postfix/qmgr[27240]: C247D2B:
from=<[email protected]<mailto:[email protected]>>, size=2785449, nrcpt=1 (queue
active)
Apr 13 15:09:27 mailgw postfix/smtpd[13276]: disconnect from
exchange1.fhstp.local[10.0.1.5]
Von: Greg Martin [mailto:[email protected]] Im Auftrag von
Greg Martin
Gesendet: Donnerstag, 13. April 2017 14:13
An: Hochreiter Martin
<[email protected]<mailto:[email protected]>>;
[email protected]<mailto:[email protected]>
Betreff: RE: User user instead of ip
Of course. You said it all - craft the filter and the external command and you
are all set. One of the beauties of this tool.
\\Greg<file://Greg>
From: Hochreiter Martin<mailto:[email protected]>
Sent: Thursday, April 13, 2017 5:11 AM
To:
[email protected]<mailto:[email protected]>
Subject: [Fail2ban-users] User user instead of ip
Hi!
Can I configure fail2ban to scan for usernames instead of ips?
What for?
Well, we scan for very high amounts of (successful) sasl user authentications
in a short time
(indication for misusage) and block the user on the active directory ... but
not as good as fail2ban does this with ips
So, if I write a filter that filters for usernames and a custom action with an
external command - is this possible?
Regards
Martin
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
