"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "config/filter.d/dovecot.conf" between
fail2ban-1.0.1.tar.gz and fail2ban-1.0.2.tar.gz

About: fail2ban scans log files and bans (via firewall rules) IP-addresses that makes too many access failures. It updates firewall rules to reject the IP address.

dovecot.conf  (fail2ban-1.0.1):dovecot.conf  (fail2ban-1.0.2)
# Fail2Ban filter Dovecot authentication and pop3/imap server # Fail2Ban filter Dovecot authentication and pop3/imap server
# #
[INCLUDES] [INCLUDES]
before = common.conf before = common.conf
[Definition] [Definition]
_daemon = (?:dovecot(?:-auth)?|auth)
_auth_worker = (?:dovecot: )?auth(?:-worker)? _auth_worker = (?:dovecot: )?auth(?:-worker)?
_auth_worker_info = (?:conn \w+:auth(?:-worker)? \([^\)]+\): auth(?:-worker)?<\d +>: )? _auth_worker_info = (?:conn \w+:auth(?:-worker)? \([^\)]+\): auth(?:-worker)?<\d +>: )?
_daemon = (?:dovecot(?:-auth)?|auth) _bypass_reject_reason = (?:: (?:\w+\([^\):]*\) \w+|[^\(]+))*
prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?: )?(?:%(__pam_a uth)s(?:\(dovecot:auth\))?: |(?:pop3|imap|managesieve|submission)-login: )?(?:In fo: )?%(_auth_worker_info)s<F-CONTENT>.+</F-CONTENT>$ prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?: )?(?:%(__pam_a uth)s(?:\(dovecot:auth\))?: |(?:pop3|imap|managesieve|submission)-login: )?(?:In fo: )?%(_auth_worker_info)s<F-CONTENT>.+</F-CONTENT>$
failregex = ^authentication failure; logname=<F-ALT_USER1>\S*</F-ALT_USER1> uid= \S* euid=\S* tty=dovecot ruser=<F-USER>\S*</F-USER> rhost=<HOST>(?:\s+user=<F-AL T_USER>\S*</F-ALT_USER>)?\s*$ failregex = ^authentication failure; logname=<F-ALT_USER1>\S*</F-ALT_USER1> uid= \S* euid=\S* tty=dovecot ruser=<F-USER>\S*</F-USER> rhost=<HOST>(?:\s+user=<F-AL T_USER>\S*</F-ALT_USER>)?\s*$
^(?:Aborted login|Disconnected|Remote closed connection|Client has q uit the connection)(?:: (?:[^\(]+|\w+\([^\)]*\))+)? \((?:auth failed, \d+ attemp ts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest aut h failed)\):(?: user=<<F-USER>[^>]*</F-USER>>,)?(?: method=\S+,)? rip=<HOST>(?:[ ^>]*(?:, session=<\S+>)?)\s*$ ^(?:Aborted login|Disconnected|Remote closed connection|Client has q uit the connection)%(_bypass_reject_reason)s \((?:auth failed, \d+ attempts(?: i n \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth faile d)\):(?: user=<<F-USER>[^>]*</F-USER>>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?: , session=<\S+>)?)\s*$
^pam\(\S+,<HOST>(?:,\S*)?\): pam_authenticate\(\) failed: (?:User no t known to the underlying authentication module: \d+ Time\(s\)|Authentication fa ilure \([Pp]assword mismatch\?\)|Permission denied)\s*$ ^pam\(\S+,<HOST>(?:,\S*)?\): pam_authenticate\(\) failed: (?:User no t known to the underlying authentication module: \d+ Time\(s\)|Authentication fa ilure \([Pp]assword mismatch\?\)|Permission denied)\s*$
^[a-z\-]{3,15}\(\S*,<HOST>(?:,\S*)?\): (?:[Uu]nknown user|[Ii]nvalid credentials|[Pp]assword mismatch) ^[a-z\-]{3,15}\(\S*,<HOST>(?:,\S*)?\): (?:[Uu]nknown user|[Ii]nvalid credentials|[Pp]assword mismatch)
<mdre-<mode>> <mdre-<mode>>
mdre-aggressive = ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)(?::(?: [^ \(]+)+)? \((?:no auth attempts|disconnected before auth was ready,|client didn't finish \S+ auth,)(?: (?:in|waited) \d+ secs )?\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)? )\s*$ mdre-aggressive = ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)%(_bypass_reject_reason)s \((?:no auth attempts|disconn ected before auth was ready,|client didn't finish \S+ auth,)(?: (?:in|waited) \d + secs)?\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=< \S+>)?)\s*$
mdre-normal = mdre-normal =
# Parameter `mode` - `normal` or `aggressive`. # Parameter `mode` - `normal` or `aggressive`.
# Aggressive mode can be used to match log-entries like: # Aggressive mode can be used to match log-entries like:
# 'no auth attempts', 'disconnected before auth was ready', 'client didn't fin ish SASL auth'. # 'no auth attempts', 'disconnected before auth was ready', 'client didn't fin ish SASL auth'.
# Note it may produce lots of false positives on misconfigured MTAs. # Note it may produce lots of false positives on misconfigured MTAs.
# Ex.: # Ex.:
# filter = dovecot[mode=aggressive] # filter = dovecot[mode=aggressive]
mode = normal mode = normal
 End of changes. 4 change blocks. 
3 lines changed or deleted 5 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)