summaryrefslogtreecommitdiffstats
path: root/roles/common/files/etc/fail2ban/filter.d/dovecot.conf
diff options
context:
space:
mode:
Diffstat (limited to 'roles/common/files/etc/fail2ban/filter.d/dovecot.conf')
-rw-r--r--roles/common/files/etc/fail2ban/filter.d/dovecot.conf34
1 files changed, 34 insertions, 0 deletions
diff --git a/roles/common/files/etc/fail2ban/filter.d/dovecot.conf b/roles/common/files/etc/fail2ban/filter.d/dovecot.conf
new file mode 100644
index 0000000..4d4ea16
--- /dev/null
+++ b/roles/common/files/etc/fail2ban/filter.d/dovecot.conf
@@ -0,0 +1,34 @@
+# Fail2Ban filter Dovecot authentication and pop3/imap server
+#
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = (auth|dovecot(-auth)?|auth-worker)
+
+# Take the filter from Stretch and add managesieve to the list of protected services
+failregex = ^%(__prefix_line)s(?:%(__pam_auth)s(?:\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(?:\s+user=\S*)?\s*$
+ ^%(__prefix_line)s(?:pop3|imap|managesieve)-login: (?:Info: )?(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<[^>]+>,)?( method=\S+,)? rip=<HOST>(?:, lip=\S+)?(?:, TLS(?: handshaking(?:: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$
+ ^%(__prefix_line)s(?:Info|dovecot: auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$
+ ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): (?:pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$
+ ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): Info: ldap\(\S*,<HOST>,\S*\): invalid credentials\s*$
+
+ignoreregex =
+
+[Init]
+
+journalmatch = _SYSTEMD_UNIT=dovecot.service
+
+# DEV Notes:
+# * the first regex is essentially a copy of pam-generic.conf
+# * Probably doesn't do dovecot sql/ldap backends properly (resolved in edit 21/03/2016)
+# * Removed the 'no auth attempts' log lines from the matches because produces
+# lots of false positives on misconfigured MTAs making regexp unusable
+#
+# Author: Martin Waschbuesch
+# Daniel Black (rewrote with begin and end anchors)
+# Martin O'Neal (added LDAP authentication failure regex)
+# Sergey G. Brester aka sebres (reviewed, optimized, IPv6-compatibility)
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-18 09:28:35 +0000