diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2018-12-09 18:41:06 +0100 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2018-12-09 20:25:40 +0100 |
commit | e2ddcfc51f66c2a52a401064eab005e793f148ee (patch) | |
tree | 7c14243b2d53f81e54c9ee77dc526c71559e572a /roles/common/files/etc/fail2ban | |
parent | 7d9380c2c9dd87876ce4d9f9b30c934505fcba51 (diff) |
Update 'IMAP', 'MSA' and 'LDAP-provider' roles to Debian Stretch.
Diffstat (limited to 'roles/common/files/etc/fail2ban')
-rw-r--r-- | roles/common/files/etc/fail2ban/filter.d/dovecot.conf | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/roles/common/files/etc/fail2ban/filter.d/dovecot.conf b/roles/common/files/etc/fail2ban/filter.d/dovecot.conf new file mode 100644 index 0000000..4d4ea16 --- /dev/null +++ b/roles/common/files/etc/fail2ban/filter.d/dovecot.conf @@ -0,0 +1,34 @@ +# Fail2Ban filter Dovecot authentication and pop3/imap server +# + +[INCLUDES] + +before = common.conf + +[Definition] + +_daemon = (auth|dovecot(-auth)?|auth-worker) + +# Take the filter from Stretch and add managesieve to the list of protected services +failregex = ^%(__prefix_line)s(?:%(__pam_auth)s(?:\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(?:\s+user=\S*)?\s*$ + ^%(__prefix_line)s(?:pop3|imap|managesieve)-login: (?:Info: )?(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<[^>]+>,)?( method=\S+,)? rip=<HOST>(?:, lip=\S+)?(?:, TLS(?: handshaking(?:: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$ + ^%(__prefix_line)s(?:Info|dovecot: auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$ + ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): (?:pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$ + ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): Info: ldap\(\S*,<HOST>,\S*\): invalid credentials\s*$ + +ignoreregex = + +[Init] + +journalmatch = _SYSTEMD_UNIT=dovecot.service + +# DEV Notes: +# * the first regex is essentially a copy of pam-generic.conf +# * Probably doesn't do dovecot sql/ldap backends properly (resolved in edit 21/03/2016) +# * Removed the 'no auth attempts' log lines from the matches because produces +# lots of false positives on misconfigured MTAs making regexp unusable +# +# Author: Martin Waschbuesch +# Daniel Black (rewrote with begin and end anchors) +# Martin O'Neal (added LDAP authentication failure regex) +# Sergey G. Brester aka sebres (reviewed, optimized, IPv6-compatibility) |