Bug#1004466: fail2ban: courier-auth failregex does not match FAILED LOGIN

Thu, 27 Jan 2022 23:36:13 -0800 

Package: fail2ban
Version: 0.11.2-2
Severity: normal
Tags: patch

Dear Maintainer,

* What led up to the situation?

fail2ban didn't find/ban failed logins in the configured courier-auth jail.

* What exactly did you do (or not do) that was effective (or ineffective)?

Failed courier-imapd logins are logged in /var/log/mail.log as:
Jan 27 09:00:00 servername imapd: LOGIN FAILED, user=xxxxxxx, 
ip=[::ffff:xxx.xxx.xxx.xxx], port=[xxxxx]

The current courier-auth failregex fails to match this because there is a port 
mentioned after the ip section. 
An update to the failregex is needed to reflect this. 
failregex = ^%(__prefix_line)sLOGIN FAILED, (?:user|method)=.*, ip=\[<HOST>\]$
failregex = ^%(__prefix_line)sLOGIN FAILED, (?:user|method)=.*, 
ip=\[<HOST>\].*$ 
 
* What was the outcome of this action?

Fail2ban matches failed courier-imapd(-ssl) logins again as expected.
Not sure if this applies to Debian systems only. 

Best regards,
Daan Willems

-- System Information:
Debian Release: 11.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable'), (100, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-8-amd64 (SMP w/4 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages fail2ban depends on:
ii  lsb-base  11.1.0
ii  python3   3.9.2-3

Versions of packages fail2ban recommends:
ii  iptables           1.8.7-1
ii  nftables           0.9.8-3.1
ii  python3-pyinotify  0.9.6-1.3
ii  python3-systemd    234-3+b4
ii  whois              5.5.10

Versions of packages fail2ban suggests:
ii  bsd-mailx [mailx]            8.1.2-0.20180807cvs-2
pn  monit                        <none>
ii  rsyslog [system-log-daemon]  8.2102.0-2
pn  sqlite3                      <none>

-- Configuration Files:

/etc/fail2ban/filter.d/courier-auth.conf changed:
[INCLUDES]
before = common.conf
[Definition]
_daemon = (?:courier)?(?:imapd?|pop3d?)(?:login)?(?:-ssl)?
failregex = ^%(__prefix_line)sLOGIN FAILED, (?:user|method)=.*, ip=\[<HOST>\].*$
ignoreregex = 
datepattern = {^LN-BEG}

-- no debconf information

Reply via email to