On 07/07/2020 20:27, Antonio Leding
wrote:
Thanks Nick & Graham — I have this working now and wanted to provide some quick notes for those who might walk down this path in the future:
- RE can be tested using the “fail2ban-regex” command — I found this incredibly helpful.
- New RE and mode changes can be placed into the desired [ FILTER ].local file. In my case, this was the postfix.local file. In fact, I would think this is preferred so as to leave all of the *.conf files as is.
- I was able to create a new mode (must include both 'mdpr' & 'mdre') and enable it in my postfix.local file. No changes to the postfix.conf file were required.
- It is important to not forget the 'mdpr' piece of this. That is what was missing from the code I posted earlier.
- Here is the code I used:
[Definition]
mdpr-auth3 = warning:mdre-auth3= ^[^[]*\[<HOST>\]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:
mode = auth3
Have fun...
On Jul 6, 2020, at 2:18 AM, Nick Howitt <[email protected]> wrote:
On 06/07/2020 09:41, Graham wrote:
On Mon, 6 Jul 2020, Antonio Leding wrote:I find the level/overrides in the postfix filer confusing at the best of times, but , having another go at it, the mdre-auth filter is only triggered if you set mode to mdre-extra. For mdre-auth2 you need mode = mdre-aggressive.
Date: Mon, 6 Jul 2020 04:38:14...
From: Antonio Leding <[email protected]>
To: [email protected]
Subject: [Fail2ban-users] Parsing "Invalid authentication mechanism" in
postfix
I have a Postfix + fail2ban configured to ban when it encounters SASL auth
errors. While most SALS errors do result in a ban, the following does not:
"SASL LOGIN authentication failed: Invalid authentication mechanism”
mdre-auth = ^[^[]*\[<HOST>\]%(_port)s: SASL
((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection
lost to authentication server| Invalid authentication mechanism)
...
Hello Antonio,
I cannot test my thinking, but I see "-MD5" in the regular _expression_, but not in the sample that you gave - hence the _expression_ would match "LOGIN-MD5" but not "LOGIN auth ...".
I hope this helps you,
If you set mdre-auth3, it will never be included anywhere unless you adjust the modes. I think all you want is in the mdre-auth2 filter, so you just want to enable the aggressive mode.
As far as I can see the MD5 bit is a red herring as it belongs to the (?:CRAM|DIGEST) part of the regex only.
In the mdre-auth regex the (?! Connection lost to authentication server| Invalid authentication mechanism) is a negative lookahead, so at least excludes "Connection lost to authentication server" and may also exclude your "Invalid authentication mechanism", but it is pushing my regex knowledge. If I am right then just enabling mdre-auth2 will be good enough.
Regards,
Nick
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
