#7 Updated regexp to match SASL failed logins

closed-fixed
nobody
None
5
2009-01-27
2008-11-18
No

Hello,

The regexp used to match failed SASL authentications (/etc/fail2ban/filter.d/sasl.conf) does not recognize log entries where {CRAM,DIGEST}-MD5 challenges are used.
Here is an updated regexp which matches the following log entries :

: warning: 114-44-134-199.dynamic.hinet.net[114.44.134.199]: SASL CRAM-MD5 authentication failed
: warning: 114-44-134-199.dynamic.hinet.net[114.44.134.199]: SASL CRAM-MD5 authentication failed: PDIzMDIzNDk5NzM3NDA5MDcuMTIyNjYwNTc2OEBtYWlsPg==
: warning: 114-44-134-199.dynamic.hinet.net[114.44.134.199]: SASL DIGEST-MD5 authentication failed: cmVhbG09IiIsbm9uY2U9IkVJMUgyTmhXdkV3RzhiK05hOFJSTnc9PSIscW9wPSJhdXRoIixjaGFyc2V0PSJ1dGYtOCIsYWxnb3JpdGhtPSJtZDUtc2VzcyI=

The updated regexp is :
failregex = : warning: [-._\w]+\[(?:::f{4,6}:)?(?P<host>\S+)\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$

I hope this can help ;)

Discussion

  • Nobody/Anonymous

    It would be also a good idea to prepend (?i) to make the whole regexp case-insensitive since one can initiate the authentication with SMTP command "AUTH plain" (and similarly for other method) and in the log there will be "plain", not "PLAIN".
    David

     
  • Nobody/Anonymous

    It would be also a good idea to prepend (?i) to make the whole regexp case-insensitive since one can initiate the authentication with SMTP command "AUTH plain" (and similarly for other method) and in the log there will be "plain", not "PLAIN".
    David

     
  • Cyril Jaquier

    Cyril Jaquier - 2009-01-27

    Committed. Will be in 0.8.4. Thank you.

     
  • Cyril Jaquier

    Cyril Jaquier - 2009-01-27
    • status: open --> closed-fixed
     

Log in to post a comment.