Re: [Fail2ban-users] dovecot blocking overly aggressive, possible mode selection problem

Courtney Rosenthal Sun, 05 Jan 2020 10:36:55 -0800

On Sunday, January 5, 2020 11:26:54 AM CST James Moe via Fail2ban-users wrote:
>   What are  your filters' regexes?


failregex = ^authentication failure; logname=<F-ALT_USER1>\S*</F-ALT_USER1> 
uid=\S* euid=\S* tty=dovecot ruser=<F-USER>\S*</F-USER> rhost=<HOST>(?:\s
+user=<F-ALT_USER>\S*</F-ALT_USER>)?\s*$
            ^(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth 
failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ 
auth|proxy dest auth failed)\):(?: user=<<F-USER>[^>]*</F-USER>>,)?(?: method=
\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
            ^pam\(\S+,<HOST>(?:,\S*)?\): pam_authenticate\(\) failed: (?:User 
not known to the underlying authentication module: \d+ Time\(s\)|
Authentication failure \(password mismatch\?\)|Permission denied)\s*$
            ^[a-z\-]{3,15}\(\S*,<HOST>(?:,\S*)?\): (?:unknown user|invalid 
credentials|Password mismatch)\s*$
            <mdre-<mode>>

mdre-aggressive = ^(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:no 
auth attempts|disconnected before auth was ready,|client didn't finish \S+ 
auth,)(?: (?:in|waited) \d+ secs)?\):(?: user=<[^>]*>,)?(?: method=\S+,)? 
rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$

mdre-normal =

mode = normal

ignoreregex =


-- 
Courtney Rosenthal / [email protected] / 512-573-5174




_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] dovecot blocking overly aggressive, possible mode selection problem

Reply via email to