Ok. Minor amendment as I was not looking at the first failures, only the
ones without a reverse DNS, so:
authenticator failed for .*\(.*\) \[<HOST>\]: 535 Incorrect
authentication data
This matches both cases.
Nick
On 29/11/2016 16:37, Nick Howitt wrote:
> I'm not sure what you want at the beginning for the date/time and
> process id (login_saslauthd_server?) but then shouldn't the regex be
> something like:
>
> authenticator failed for \(.*\) \[<HOST>\]: 535 Incorrect
> authentication data
>
> You could get cute and regex the first IP address but it is not worth
> it unless \) ends up matching the end of the set_id bit
>
> Nick
>
> On 2016-11-29 15:31, Drew Happli wrote:
>> I am running into an issue in getting the correct regex for my Exim
>> logs to be able to block/ban people who are trying to brute force
>> spamming through my server. A few weeks ago we found a user's
>> account that was compromised and was being used to send spam. We
>> forced the user to change their password. After that we found a
>> number of our userbase had older passwords. So we forced everyone to
>> change their passwords. Now we are seeing tons of attempted logins
>> for these accounts that are not working.
>>
>> I have included all relevant configs and log files below:
>>
>> Errors in the /var/log/exim4/mainlog:
>>
>> 2016-11-29 09:43:28 login_saslauthd_server authenticator failed for
>> 80-110-70-179.cgn.dynamic.surfer.at ([192.168.0.80]) [80.110.70.179]:
>> 535 Incorrect authentication data (set_id=axxxxxxx)
>> 2016-11-29 09:43:38 login_saslauthd_server authenticator failed for
>> 80-110-70-179.cgn.dynamic.surfer.at ([192.168.0.80]) [80.110.70.179]:
>> 535 Incorrect authentication data (set_id=axxxxxxx)
>> 2016-11-29 09:46:51 login_saslauthd_server authenticator failed for
>> cpe-173-172-251-146.rgv.res.rr.com (RmJCYi) [173.172.251.146]: 535
>> Incorrect authentication data (set_id=axxxxxxx)
>> 2016-11-29 09:48:36 login_saslauthd_server authenticator failed for
>> dynamic-194-228-20-179.ipv4.broadband.iol.cz ([10.0.0.1])
>> [194.228.20.179]: 535 Incorrect authentication data (set_id=axxxxxxx)
>> 2016-11-29 09:48:45 login_saslauthd_server authenticator failed for
>> dynamic-194-228-20-179.ipv4.broadband.iol.cz ([10.0.0.1])
>> [194.228.20.179]: 535 Incorrect authentication data (set_id=axxxxxxx)
>> 2016-11-29 09:50:31 login_saslauthd_server authenticator failed for
>> mm-209-81-214-37.mogilev.dynamic.pppoe.byfly.by ([192.168.1.4])
>> [37.214.81.209]: 535 Incorrect authentication data (set_id=dxxxxxx)
>> 2016-11-29 09:50:41 login_saslauthd_server authenticator failed for
>> mm-209-81-214-37.mogilev.dynamic.pppoe.byfly.by ([192.168.1.4])
>> [37.214.81.209]: 535 Incorrect authentication data (set_id=dxxxxxx)
>> 2016-11-29 09:54:19 login_saslauthd_server authenticator failed for
>> ([192.168.0.136]) [176.59.86.244]: 535 Incorrect authentication data
>> (set_id=cxxxxxxx)
>> 2016-11-29 09:54:30 login_saslauthd_server authenticator failed for
>> ([192.168.0.136]) [176.59.86.244]: 535 Incorrect authentication data
>> (set_id=cxxxxxxx)
>> 2016-11-29 09:57:35 login_saslauthd_server authenticator failed for
>> ([192.168.0.3]) [87.241.163.6]: 535 Incorrect authentication data
>> (set_id=dxxxxxx)
>> 2016-11-29 09:57:40 login_saslauthd_server authenticator failed for
>> ([192.168.0.3]) [87.241.163.6]: 535 Incorrect authentication data
>> (set_id=cxxxxxxx)
>> 2016-11-29 10:18:11 login_saslauthd_server authenticator failed for
>> ([10.66.0.104]) [188.68.134.108]: 535 Incorrect authentication data
>> (set_id=dxxxxxx)
>> 2016-11-29 10:18:21 login_saslauthd_server authenticator failed for
>> ([10.66.0.104]) [188.68.134.108]: 535 Incorrect authentication data
>> (set_id=cxxxxxxx)
>>
>> sasl.conf
>>
>> # Fail2Ban configuration file
>> #
>> # Author: Yaroslav Halchenko
>> #
>> # $Revision: 728 $
>> #
>>
>> [Definition]
>>
>> # Option: failregex
>> # Notes.: regex to match the password failures messages in the
>> logfile. The
>> # host must be matched by a group named "host". The tag "<HOST>" can
>> # be used for standard IP/hostname matching and is only an alias for
>> # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
>> # Values: TEXT
>> #
>>
>> # Bad Regexes
>> # failregex = login_saslauthd_server authenticator failed for
>> \[<HOST>\]: 535 Incorrect authentication data
>> # failregex = ^%(pid)s \w+ authenticator failed for (\S+ )?\(\S+\)
>> \[<HOST>\](?::\d+)?(?: I=\[\S+\](:\d+)?)?: 535 Incorrect
>> authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$
>>
>> # Current regex:
>>
>> failregex = "\[(?P<host>(?:\d{1,3}\.){3}\d{1,3})\]: 535 Incorrect
>> authentication"
>>
>> # Option: ignoreregex
>> # Notes.: regex to ignore. If this regex matches, the line is ignored.
>> # Values: TEXT
>> #
>> ignoreregex =
>>
>> jail.local:
>>
>> [sasl]
>> enabled = true
>> port = smtp
>> filter = sasl
>> logpath = /var/log/exim4/mainlog
>> maxretry = 2
>>
>> Test of the regex:
>>
>> fail2ban-regex /var/log/exim4/mainlog /etc/fail2ban/filter.d/sasl.conf
>> -v
>>
>> Running tests
>> =============
>>
>> Use failregex file : /etc/fail2ban/filter.d/sasl.conf
>> Use log file : /var/log/exim4/mainlog
>>
>> Results
>> =======
>>
>> Failregex: 0 total
>> |- #) [# of hits] regular expression
>> | 1) [0] "\[(?P<host>(?:\d{1,3}\.){3}\d{1,3})\]: 535 Incorrect
>> authentication"
>> `-
>>
>> Ignoreregex: 0 total
>>
>> Date template hits:
>> |- [# of hits] date format
>> | [905] Year-Month-Day Hour:Minute:Second
>> | [0] WEEKDAY MONTH Day Hour:Minute:Second[.subsecond] Year
>> | [0] WEEKDAY MONTH Day Hour:Minute:Second Year
>> | [0] WEEKDAY MONTH Day Hour:Minute:Second
>> | [0] MONTH Day Hour:Minute:Second
>> | [0] Year/Month/Day Hour:Minute:Second
>> | [0] Day/Month/Year Hour:Minute:Second
>> | [0] Day/Month/Year2 Hour:Minute:Second
>> | [0] Day/MONTH/Year:Hour:Minute:Second
>> | [0] Month/Day/Year:Hour:Minute:Second
>> | [0] Year-Month-Day Hour:Minute:Second[,subsecond]
>> | [0] Year.Month.Day Hour:Minute:Second
>> | [0] Day-MONTH-Year Hour:Minute:Second[.Millisecond]
>> | [0] Day-Month-Year Hour:Minute:Second
>> | [0] Month-Day-Year Hour:Minute:Second[.Millisecond]
>> | [0] TAI64N
>> | [0] Epoch
>> | [0] ISO 8601
>> | [0] Hour:Minute:Second
>> | [0] <Month/Day/Year@Hour:Minute:Second>
>> | [0] YearMonthDay Hour:Minute:Second
>> | [0] Month-Day-Year Hour:Minute:Second
>> `-
>>
>> Lines: 905 lines, 0 ignored, 0 matched, 905 missed
>> Missed line(s): too many to print. Use --print-all-missed to print all
>> 905 lines
>>
>> Please let me know if I have forgotten a log file, a config file, or
>> any other information that would be useful to help me solve this
>> issue.
>>
>> Thank you.
>>
>> Drew.
>>
>>
>> ------------------------------------------------------------------------------
>>
>>
>>
>> _______________________________________________
>> Fail2ban-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
------------------------------------------------------------------------------
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
