I am running into an issue in getting the correct regex for my Exim logs
to be able to block/ban people who are trying to brute force spamming
through my server. A few weeks ago we found a user's account that was
compromised and was being used to send spam. We forced the user to
change their password. After that we found a number of our userbase had
older passwords. So we forced everyone to change their passwords. Now
we are seeing tons of attempted logins for these accounts that are not
working.
I have included all relevant configs and log files below:
Errors in the /var/log/exim4/mainlog:
2016-11-29 09:43:28 login_saslauthd_server authenticator failed for
80-110-70-179.cgn.dynamic.surfer.at ([192.168.0.80]) [80.110.70.179]:
535 Incorrect authentication data (set_id=axxxxxxx)
2016-11-29 09:43:38 login_saslauthd_server authenticator failed for
80-110-70-179.cgn.dynamic.surfer.at ([192.168.0.80]) [80.110.70.179]:
535 Incorrect authentication data (set_id=axxxxxxx)
2016-11-29 09:46:51 login_saslauthd_server authenticator failed for
cpe-173-172-251-146.rgv.res.rr.com (RmJCYi) [173.172.251.146]: 535
Incorrect authentication data (set_id=axxxxxxx)
2016-11-29 09:48:36 login_saslauthd_server authenticator failed for
dynamic-194-228-20-179.ipv4.broadband.iol.cz ([10.0.0.1])
[194.228.20.179]: 535 Incorrect authentication data (set_id=axxxxxxx)
2016-11-29 09:48:45 login_saslauthd_server authenticator failed for
dynamic-194-228-20-179.ipv4.broadband.iol.cz ([10.0.0.1])
[194.228.20.179]: 535 Incorrect authentication data (set_id=axxxxxxx)
2016-11-29 09:50:31 login_saslauthd_server authenticator failed for
mm-209-81-214-37.mogilev.dynamic.pppoe.byfly.by ([192.168.1.4])
[37.214.81.209]: 535 Incorrect authentication data (set_id=dxxxxxx)
2016-11-29 09:50:41 login_saslauthd_server authenticator failed for
mm-209-81-214-37.mogilev.dynamic.pppoe.byfly.by ([192.168.1.4])
[37.214.81.209]: 535 Incorrect authentication data (set_id=dxxxxxx)
2016-11-29 09:54:19 login_saslauthd_server authenticator failed for
([192.168.0.136]) [176.59.86.244]: 535 Incorrect authentication data
(set_id=cxxxxxxx)
2016-11-29 09:54:30 login_saslauthd_server authenticator failed for
([192.168.0.136]) [176.59.86.244]: 535 Incorrect authentication data
(set_id=cxxxxxxx)
2016-11-29 09:57:35 login_saslauthd_server authenticator failed for
([192.168.0.3]) [87.241.163.6]: 535 Incorrect authentication data
(set_id=dxxxxxx)
2016-11-29 09:57:40 login_saslauthd_server authenticator failed for
([192.168.0.3]) [87.241.163.6]: 535 Incorrect authentication data
(set_id=cxxxxxxx)
2016-11-29 10:18:11 login_saslauthd_server authenticator failed for
([10.66.0.104]) [188.68.134.108]: 535 Incorrect authentication data
(set_id=dxxxxxx)
2016-11-29 10:18:21 login_saslauthd_server authenticator failed for
([10.66.0.104]) [188.68.134.108]: 535 Incorrect authentication data
(set_id=cxxxxxxx)
sasl.conf
# Fail2Ban configuration file
#
# Author: Yaroslav Halchenko
#
# $Revision: 728 $
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
# Bad Regexes
# failregex = login_saslauthd_server authenticator failed for
\[<HOST>\]: 535 Incorrect authentication data
# failregex = ^%(pid)s \w+ authenticator failed for (\S+ )?\(\S+\)
\[<HOST>\](?::\d+)?(?: I=\[\S+\](:\d+)?)?: 535 Incorrect authentication
data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$
# Current regex:
failregex = "\[(?P<host>(?:\d{1,3}\.){3}\d{1,3})\]: 535 Incorrect
authentication"
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
jail.local:
[sasl]
enabled = true
port = smtp
filter = sasl
logpath = /var/log/exim4/mainlog
maxretry = 2
Test of the regex:
fail2ban-regex /var/log/exim4/mainlog /etc/fail2ban/filter.d/sasl.conf
-v
Running tests
=============
Use failregex file : /etc/fail2ban/filter.d/sasl.conf
Use log file : /var/log/exim4/mainlog
Results
=======
Failregex: 0 total
|- #) [# of hits] regular expression
| 1) [0] "\[(?P<host>(?:\d{1,3}\.){3}\d{1,3})\]: 535 Incorrect
authentication"
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [905] Year-Month-Day Hour:Minute:Second
| [0] WEEKDAY MONTH Day Hour:Minute:Second[.subsecond] Year
| [0] WEEKDAY MONTH Day Hour:Minute:Second Year
| [0] WEEKDAY MONTH Day Hour:Minute:Second
| [0] MONTH Day Hour:Minute:Second
| [0] Year/Month/Day Hour:Minute:Second
| [0] Day/Month/Year Hour:Minute:Second
| [0] Day/Month/Year2 Hour:Minute:Second
| [0] Day/MONTH/Year:Hour:Minute:Second
| [0] Month/Day/Year:Hour:Minute:Second
| [0] Year-Month-Day Hour:Minute:Second[,subsecond]
| [0] Year.Month.Day Hour:Minute:Second
| [0] Day-MONTH-Year Hour:Minute:Second[.Millisecond]
| [0] Day-Month-Year Hour:Minute:Second
| [0] Month-Day-Year Hour:Minute:Second[.Millisecond]
| [0] TAI64N
| [0] Epoch
| [0] ISO 8601
| [0] Hour:Minute:Second
| [0] <Month/Day/Year@Hour:Minute:Second>
| [0] YearMonthDay Hour:Minute:Second
| [0] Month-Day-Year Hour:Minute:Second
`-
Lines: 905 lines, 0 ignored, 0 matched, 905 missed
Missed line(s): too many to print. Use --print-all-missed to print all
905 lines
Please let me know if I have forgotten a log file, a config file, or any
other information that would be useful to help me solve this issue.
Thank you.
Drew.------------------------------------------------------------------------------
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
