Dovecot Regex

[Nerigal]

anyone could build some decent regex for dovecot fail loggin because right now CSF do not ban any ip from dovecot service. and im not usual enough with perl to do it myself

after a close look into regex.pm its look like the regex is not valid for dovecot versus Direct admin

here is some exemple of error logs for dovecot into /var/log/maillog

dovecot[7362]: auth(default): passwd-file(nadia,58.27.193.242): no passwd file: /etc/virtual//passwd: 36 Time(s)

dovecot[7362]: auth(default): shadow(download,58.27.193.242): unknown user: 36 Time(s)

dovecot[7362]: pop3-login: Disconnected (auth failed, 1 attempts): user=<admin>, method=PLAIN, rip=58.27.193.242, lip=x.x.x.x: 13 Time(s)

thanks

[Nerigal]

Okay i tried to learn by myself but actualy im not sure how to test the regex with lfd and when i just add it in regex.custom.pm and restart csf+lfd ... lfd just do not start
and i have the debug mode active.. no log telling me why lfd crash

here is the regex

#dovecot_custom
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s+\d+\s+\d+:\d+:\d+\s+\S+\s+dovecot.*passwd-file.*,(\d+.\d+.\d+\.\d+).*no passwd file:.*/)) {
return ("Failed POP3 login from",$1,"dovecot-custom","30","20,21,22,25,80,110,143,443,587","1");
}

here a exemple of line that should be catch by the regex

Jun 23 15:54:28 hostname dovecot[7362]: auth(default): passwd-file(user,209.85.132.185): no passwd file: /etc/virtual//passwd

any could help me fix this ? thx

[chirpy]

What OS and version is this for?

[Nerigal]

Centos 5.2 and dovecot 1.1.4

fixed it myself by some modification from the based dovecot regex in regex.pm

this is the based regex ->

Code: Select all

if (($config{LF_POP3D}) and ($lgfile eq $config{POP3D_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ [^\s\.]+ dovecot: pop3-login: (Aborted login|Disconnected) \(auth failed, \d+ attempts\): (user=(<\S*>)?, )?method=\S+, rip=(\d+\.\d+\.\d+\.\d+), lip=\S+\s*$/)) {
		return ("Failed POP3 login from",$4,"pop3d");
	}

here is the modification i made and the result is perfect from my needs

Code: Select all

	if (($config{LF_POP3D}) and ($lgfile eq $config{POP3D_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ [^\s\.]+ dovecot\[\d+\]:\spop3-login: (Aborted login|Disconnected)\s\(auth failed, \d+ attempts\):\suser=(<\S*>),\smethod=\S+, rip=(\d+\.\d+\.\d+\.\d+)/)) {
		return ("Failed POP3 login from",$3,"pop3d");
	}

here is a exemple of the result

Code: Select all

Time:     Fri Jul 10 19:14:46 2009 -0400
IP:       78.152.106.252 (IT/Italy/-) (Note: This is a Permanent block)
Failures: 50 (pop3d)
Interval: 90 seconds
Blocked:  Yes

Log entries:

Jul 10 19:14:30 hostname dovecot[4234]: pop3-login: Disconnected (auth failed, 1 attempts): user=<staff>, method=PLAIN, rip=78.152.106.252, lip=x.x.x.x
Jul 10 19:14:30 hostname dovecot[4234]: pop3-login: Disconnected (auth failed, 1 attempts): user=<staff>, method=PLAIN, rip=78.152.106.252, lip=x.x.x.x
Jul 10 19:14:31 hostname dovecot[4234]: pop3-login: Disconnected (auth failed, 1 attempts): user=<staff>, method=PLAIN, rip=78.152.106.252, lip=x.x.x.x
Jul 10 19:14:31 hostname dovecot[4234]: pop3-login: Disconnected (auth failed, 1 attempts): user=<staff>, method=PLAIN, rip=78.152.106.252, lip=x.x.x.x
Jul 10 19:14:31 hostname dovecot[4234]: pop3-login: Disconnected (auth failed, 1 attempts): user=<staff>, method=PLAIN, rip=78.152.106.252, lip=x.x.x.x
Jul 10 19:14:31 hostname dovecot[4234]: pop3-login: Disconnected (auth failed, 1 attempts): user=<staff>, method=PLAIN, rip=78.152.106.252, lip=x.x.x.x
Jul 10 19:14:32 hostname dovecot[4234]: pop3-login: Disconnected (auth failed, 1 attempts): user=<office>, method=PLAIN, rip=78.152.106.252, lip=x.x.x.x
Jul 10 19:14:32 hostname dovecot[4234]: pop3-login: Disconnected (auth failed, 1 attempts): user=<office>, method=PLAIN, rip=78.152.106.252, lip=x.x.x.x
Jul 10 19:14:32 hostname dovecot[4234]: pop3-login: Disconnected (auth failed, 1 attempts): user=<webadmin>, method=PLAIN, rip=78.152.106.252, lip=x.x.x.x
Jul 10 19:14:33 hostname dovecot[4234]: pop3-login: Disconnected (auth failed, 1 attempts): user=<webadmin>, method=PLAIN, rip=78.152.106.252, lip=x.x.x.x
Jul 10 19:14:33 hostname dovecot[4234]: pop3-login: Disconnected (auth failed, 1 attempts): user=<virus>, method=PLAIN, rip=78.152.106.252, lip=x.x.x.x
Jul 10 19:14:33 hostname dovecot[4234]: pop3-login: Disconnected (auth failed, 1 attempts): user=<virus>, method=PLAIN, rip=78.152.106.252, lip=x.x.x.x
Jul 10 19:14:34 hostname dovecot[4234]: pop3-login: Disconnected (auth failed, 1 attempts): user=<cyrus>, method=PLAIN, rip=78.152.106.252, lip=x.x.x.x
Jul 10 19:14:34 hostname dovecot[4234]: pop3-login: Disconnected (auth failed, 1 attempts): user=<cyrus>, method=PLAIN, rip=78.152.106.252, lip=x.x.x.x
Jul 10 19:14:34 hostname dovecot[4234]: pop3-login: Disconnected (auth failed, 1 attempts): user=<cyrus>, method=PLAIN, rip=78.152.106.252, lip=x.x.x.x
Jul 10 19:14:34 hostname dovecot[4234]: pop3-login: Disconnected (auth failed, 1 attempts): user=<cyrus>, method=PLAIN, rip=78.152.106.252, lip=x.x.x.x
Jul 10 19:14:35 hostname dovecot[4234]: pop3-login: Disconnected (auth failed, 1 attempts): user=<michael>, method=PLAIN, rip=78.152.106.252, lip=x.x.x.x
Jul 10 19:14:35 hostname dovecot[4234]: pop3-login: Disconnected (auth failed, 1 attempts): user=<michael>, method=PLAIN, rip=78.152.106.252, lip=x.x.x.x
Jul 10 19:14:35 hostname dovecot[4234]: pop3-login: Disconnected (auth failed, 1 attempts): user=<michael>, method=PLAIN, rip=78.152.106.252, lip=x.x.x.x
Jul 10 19:14:36 hostname dovecot[4234]: pop3-login: Disconnected (auth failed, 1 attempts): user=<michael>, method=PLAIN, rip=78.152.106.252, lip=x.x.x.x
Jul 10 19:14:36 hostname dovecot[4234]: pop3-login: Disconnected (auth failed, 1 attempts): user=<ftp>, method=PLAIN, rip=78.152.106.252, lip=x.x.x.x
Jul 10 19:14:36 hostname dovecot[4234]: pop3-login: Disconnected (auth failed, 1 attempts): user=<ftp>, method=PLAIN, rip=78.152.106.252, lip=x.x.x.x
Jul 10 19:14:37 hostname dovecot[4234]: pop3-login: Disconnected (auth failed, 1 attempts): user=<ftp>, method=PLAIN, rip=78.152.106.252, lip=x.x.x.x
Jul 10 19:14:37 hostname dovecot[4234]: pop3-login: Disconnected (auth failed, 1 attempts): user=<test>, method=PLAIN, rip=78.152.106.252, lip=x.x.x.x
Jul 10 19:14:37 hostname dovecot[4234]: pop3-login: Disconnected (auth failed, 1 attempts): user=<test>, method=PLAIN, rip=78.152.106.252, lip=x.x.x.x
Jul 10 19:14:37 hostname dovecot[4234]: pop3-login: Disconnected (auth failed, 1 attempts): user=<ftp>, method=PLAIN, rip=78.152.106.252, lip=x.x.x.x
Jul 10 19:14:38 hostname dovecot[4234]: pop3-login: Disconnected (auth failed, 1 attempts): user=<test1>, method=PLAIN, rip=78.152.106.252, lip=x.x.x.x
Jul 10 19:14:38 hostname dovecot[4234]: pop3-login: Disconnected (auth failed, 1 attempts): user=<test1>, method=PLAIN, rip=78.152.106.252, lip=x.x.x.x
Jul 10 19:14:38 hostname dovecot[4234]: pop3-login: Disconnected (auth failed, 1 attempts): user=<test2>, method=PLAIN, rip=78.152.106.252, lip=x.x.x.x
Jul 10 19:14:39 hostname dovecot[4234]: pop3-login: Disconnected (auth failed, 1 attempts): user=<test2>, method=PLAIN, rip=78.152.106.252, lip=x.x.x.x
Jul 10 19:14:39 hostname dovecot[4234]: pop3-login: Disconnected (auth failed, 1 attempts): user=<staff>, method=PLAIN, rip=78.152.106.252, lip=x.x.x.x
Jul 10 19:14:39 hostname dovecot[4234]: pop3-login: Disconnected (auth failed, 1 attempts): user=<webmaster>, method=PLAIN, rip=78.152.106.252, lip=x.x.x.x
Jul 10 19:14:39 hostname dovecot[4234]: pop3-login: Disconnected (auth failed, 1 attempts): user=<webmaster>, method=PLAIN, rip=78.152.106.252, lip=x.x.x.x
Jul 10 19:14:39 hostname dovecot[4234]: pop3-login: Disconnected (auth failed, 1 attempts): user=<staff>, method=PLAIN, rip=78.152.106.252, lip=x.x.x.x
Jul 10 19:14:40 hostname dovecot[4234]: pop3-login: Disconnected (auth failed, 1 attempts): user=<postgres>, method=PLAIN, rip=78.152.106.252, lip=x.x.x.x
Jul 10 19:14:40 hostname dovecot[4234]: pop3-login: Disconnected (auth failed, 1 attempts): user=<postgres>, method=PLAIN, rip=78.152.106.252, lip=x.x.x.x
Jul 10 19:14:40 hostname dovecot[4234]: pop3-login: Disconnected (auth failed, 1 attempts): user=<postgres>, method=PLAIN, rip=78.152.106.252, lip=x.x.x.x
Jul 10 19:14:40 hostname dovecot[4234]: pop3-login: Disconnected (auth failed, 1 attempts): user=<postgres>, method=PLAIN, rip=78.152.106.252, lip=x.x.x.x
Jul 10 19:14:40 hostname dovecot[4234]: pop3-login: Disconnected (auth failed, 1 attempts): user=<staff>, method=PLAIN, rip=78.152.106.252, lip=x.x.x.x
Jul 10 19:14:41 hostname dovecot[4234]: pop3-login: Disconnected (auth failed, 1 attempts): user=<office>, method=PLAIN, rip=78.152.106.252, lip=x.x.x.x
Jul 10 19:14:41 hostname dovecot[4234]: pop3-login: Disconnected (auth failed, 1 attempts): user=<postfix>, method=PLAIN, rip=78.152.106.252, lip=x.x.x.x
Jul 10 19:14:41 hostname dovecot[4234]: pop3-login: Disconnected (auth failed, 1 attempts): user=<webadmin>, method=PLAIN, rip=78.152.106.252, lip=x.x.x.x
Jul 10 19:14:41 hostname dovecot[4234]: pop3-login: Disconnected (auth failed, 1 attempts): user=<postfix>, method=PLAIN, rip=78.152.106.252, lip=x.x.x.x
Jul 10 19:14:41 hostname dovecot[4234]: pop3-login: Disconnected (auth failed, 1 attempts): user=<postfix>, method=PLAIN, rip=78.152.106.252, lip=x.x.x.x
Jul 10 19:14:42 hostname dovecot[4234]: pop3-login: Disconnected (auth failed, 1 attempts): user=<postfix>, method=PLAIN, rip=78.152.106.252, lip=x.x.x.x
Jul 10 19:14:42 hostname dovecot[4234]: pop3-login: Disconnected (auth failed, 1 attempts): user=<cyrus>, method=PLAIN, rip=78.152.106.252, lip=x.x.x.x
Jul 10 19:14:42 hostname dovecot[4234]: pop3-login: Disconnected (auth failed, 1 attempts): user=<virus>, method=PLAIN, rip=78.152.106.252, lip=x.x.x.x
Jul 10 19:14:42 hostname dovecot[4234]: pop3-login: Disconnected (auth failed, 1 attempts): user=<postfix>, method=PLAIN, rip=78.152.106.252, lip=x.x.x.x
Jul 10 19:14:42 hostname dovecot[4234]: pop3-login: Disconnected (auth failed, 1 attempts): user=<postfix>, method=PLAIN, rip=78.152.106.252, lip=x.x.x.x
Jul 10 19:14:43 hostname dovecot[4234]: pop3-login: Disconnected (auth failed, 1 attempts): user=<postfix>, method=PLAIN, rip=78.152.106.252, lip=x.x.x.x

the only last point i have to fix is... i never been able to make it work in regex.custom.pm...it make lfd stop no log with debug mode active.
so right now i have to reupload the regex.pm every time there is a update which is not a good thing.

[chirpy]

I'll expand the dovecot regex in the next release of csf to cater for this.

[Arie]

Little kick, it seems the log entry has been changed since v2.1.6. (dovecot .org/list/dovecot/2012-April/065558.html (forum doesn't allow me linking))

Now the log entry has session added here's an example:

Code: Select all

Jun 23 15:53:51 server dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<root>, method=PLAIN, rip=x.x.x.x, lip=y.y.y.y, session=<384oEyTDNADKgQtG>

I'm not a star in regex so I'm not sure this is the reason why my installs stopped blocking logins for dovecot, but I'm guessing this must be it since I can't think of changing anything myself.

[ForumAdmin]

We'll look into a change for the next release. In the meantime, you will have to create a custom regex if you want to trap it.

[ForumAdmin]

We've checked that log line and it is detected correctly with the current version of csf (v5.57)

[Arie]

Thanks for looking into it. I think I figured it out, recently bots brute forcing my servers do so on a more slow but persistent way, they were simply getting through because of the settings I had at LF_POP3D and LF_INTERVAL.