From: Russell J. <rj...@eg...> - 2009-11-13 03:17:16
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#ffffff" text="#000000"> That last regex seemed to work! Thanks!<br> <br> [root@server1 log]# fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/dovecot-pop3imap.conf<br> <br> Running tests<br> =============<br> <br> Use regex file : /etc/fail2ban/filter.d/dovecot-pop3imap.conf<br> Use log file : /var/log/secure<br> <br> <br> Results<br> =======<br> <br> Failregex<br> |- Regular expressions:<br> | [1] dovecot:auth\): authentication failure; .*ruser= rhost=<HOST> .*<br> |<br> `- Number of matches:<br> [1] 99 match(es)<br> <br> Ignoreregex<br> |- Regular expressions:<br> |<br> `- Number of matches:<br> <br> Summary<br> =======<br> <br> Addresses found:<br> [1]<br> 174.133.219.34 (Tue Nov 10 12:48:59 2009)<br> 174.133.219.34 (Tue Nov 10 12:48:59 2009)<br> 174.133.219.34 (Tue Nov 10 12:48:59 2009)<br> 174.133.219.34 (Tue Nov 10 12:48:59 2009)<br> 174.133.219.34 (Tue Nov 10 12:48:59 2009)<br> 174.133.219.34 (Tue Nov 10 12:48:59 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:00 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:00 2009)<br> 174.133.219.34 (Tue Nov 10 12:48:59 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:00 2009)<br> 174.133.219.34 (Tue Nov 10 12:48:59 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:00 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:00 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:00 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:00 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:00 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:00 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:00 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:02 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:02 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:02 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:01 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:01 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:01 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:02 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:02 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:03 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:04 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:04 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:02 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:02 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:01 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:01 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:02 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:04 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:04 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:04 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:04 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:05 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:01 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:04 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:04 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:02 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:02 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:02 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:05 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:04 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:04 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:06 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:06 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:06 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:07 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:07 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:06 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:07 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:07 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:06 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:06 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:06 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:08 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:07 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:08 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:07 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:07 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:06 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:08 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:08 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:08 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:07 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:06 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:08 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:09 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:09 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:09 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:09 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:09 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:09 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:09 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:09 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:10 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:10 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:10 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:10 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:10 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:10 2009)<br> 174.133.219.34 (Tue Nov 10 12:49:10 2009)<br> 76.187.190.199 (Thu Nov 12 06:37:15 2009)<br> 63.236.37.73 (Thu Nov 12 11:22:03 2009)<br> 127.0.0.1 (Thu Nov 12 13:07:11 2009)<br> 127.0.0.1 (Thu Nov 12 15:09:58 2009)<br> 127.0.0.1 (Thu Nov 12 15:12:21 2009)<br> 127.0.0.1 (Thu Nov 12 15:12:27 2009)<br> 127.0.0.1 (Thu Nov 12 15:13:05 2009)<br> 127.0.0.1 (Thu Nov 12 15:13:13 2009)<br> 127.0.0.1 (Thu Nov 12 15:13:22 2009)<br> 98.197.128.40 (Thu Nov 12 15:14:33 2009)<br> 127.0.0.1 (Thu Nov 12 18:33:55 2009)<br> 98.197.128.40 (Thu Nov 12 18:39:56 2009)<br> 98.197.128.40 (Thu Nov 12 19:02:58 2009)<br> <br> Date template hits:<br> 996 hit(s): MONTH Day Hour:Minute:Second<br> 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year<br> 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second<br> 0 hit(s): Year/Month/Day Hour:Minute:Second<br> 0 hit(s): Day/Month/Year Hour:Minute:Second<br> 0 hit(s): Day/MONTH/Year:Hour:Minute:Second<br> 0 hit(s): Month/Day/Year:Hour:Minute:Second<br> 0 hit(s): Year-Month-Day Hour:Minute:Second<br> 0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]<br> 0 hit(s): Day-Month-Year Hour:Minute:Second<br> 0 hit(s): TAI64N<br> 0 hit(s): Epoch<br> 0 hit(s): ISO 8601<br> 0 hit(s): Hour:Minute:Second<br> 0 hit(s): <Month/Day/Year@Hour:Minute:Second><br> <br> Success, the total number of match is 99<br> <br> However, look at the above section 'Running tests' which could contain important<br> information.<br> <br> <br> <br> <br> However, I noticed it picked up 127.0.0.1 failures also. That is failure from my webmail client... how would I go about ignoring that? Obviously don't want it banning localhost.<br> <br> <br> <br> René Berber wrote: <blockquote cite="mid:4AF...@ca..." type="cite"> <pre wrap="">Russell Jones wrote: </pre> <blockquote type="cite"> <pre wrap=""> :-( Unfortunately it just bombs on this one. Not sure if I am doing something wrong or not: </pre> </blockquote> <pre wrap=""><!----> No, its not your fault. </pre> <blockquote type="cite"> <pre wrap="">[root@server1 filter.d]# fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/dovecot-pop3imap.conf Running tests ============= Use regex file : /etc/fail2ban/filter.d/dovecot-pop3imap.conf Use log file : /var/log/secure Traceback (most recent call last): File "/usr/bin/fail2ban-regex", line 372, in ? fail2banRegex.testRegex(line) File "/usr/bin/fail2ban-regex", line 225, in testRegex ret = self.__filter.processLine(line) File "/usr/share/fail2ban/server/filter.py", line 265, in processLine return self.findFailure(timeLine, logLine) File "/usr/share/fail2ban/server/filter.py", line 321, in findFailure ipMatch = DNSUtils.textToIp(host) File "/usr/share/fail2ban/server/filter.py", line 562, in textToIp ip = DNSUtils.dnsToIp(text) File "/usr/share/fail2ban/server/filter.py", line 518, in dnsToIp return socket.gethostbyname_ex(dns)[2] socket.herror: (0, 'Resolver Error 0 (no error)') [root@server1 filter.d]# </pre> </blockquote> <pre wrap=""><!----> It didn't even get to the part where it shows you the regex(es) it will use... My guess is the "@" messes up things, try quoting it (i.e. \@ instead of plain @). </pre> <blockquote type="cite"> <pre wrap="">Here is my filter.d file for it: [Definition] failregex = dovecot:auth\): authentication failure; .*ruser= rhost=(?P<host>\S*) user=(?P<user>\<a class="moz-txt-link-abbreviated" href="mailto:S*)@.*">S*)@.*</a> ignoreregex = </pre> </blockquote> <pre wrap=""><!----> Or we can just get rid of the @, f2b doesn't use the user anyway. And we could use <HOST> instead of the corresponding part, like: dovecot:auth\): authentication failure; .*ruser= rhost=<HOST> .* </pre> </blockquote> </body> </html> |