如何创建failregex以阻止imap登录fail2ban

Question

有人能帮我创建正确的fail2ban过滤器吗？坏的ip地址敲入端口993 /etc/fail2ban/filter.d/dovecot.conf不会捕获这样的日志。

我发现了这样的东西，但我发现了错误

[Definition]

failregex = ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to $

The mail.log

Jan 28 11:35:10 mbm2-srv dovecot: imap-login: Disconnected (no auth attempts in 7 secs): user=<>, rip=117.50.110.5, lip=192.168.1.254, TLS, session=<4WmzJqHWpuJ1Mm4F>
Jan 28 11:35:11 mbm2-srv dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=117.50.110.5, lip=192.168.1.254, TLS handshaking: Connection closed, session=<8Bi9JqHWYIB1Mm4F>
Jan 28 11:35:12 mbm2-srv dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=117.50.110.5, lip=192.168.1.254, TLS handshaking: Connection closed, session=<9vHEJqHWmIF1Mm4F>
Jan 28 11:35:13 mbm2-srv dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=117.50.110.5, lip=192.168.1.254, TLS handshaking: read(size=676) failed: Connection reset by peer, session=<Ri3TJqHWtIJ1Mm4F>
Jan 28 11:35:13 mbm2-srv dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=117.50.110.5, lip=192.168.1.254, TLS handshaking: Connection closed, session=<RjDbJqHWdIR1Mm4F>
Jan 28 11:35:14 mbm2-srv dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=117.50.110.5, lip=192.168.1.254, TLS handshaking: Connection closed, session=<mHXjJqHWHIV1Mm4F>
Jan 28 11:35:14 mbm2-srv dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=117.50.110.5, lip=192.168.1.254, TLS handshaking: SSL_accept() failed: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol, session=<l6XnJqHW0IV1Mm4F>
Jan 28 11:35:15 mbm2-srv dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=117.50.110.5, lip=192.168.1.254, TLS handshaking: read(size=595) failed: Connection reset by peer, session=<ic/zJqHWhoZ1Mm4F>
Jan 28 11:35:15 mbm2-srv dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=117.50.110.5, lip=192.168.1.254, TLS handshaking: Connection closed, session=<aw78JqHWXId1Mm4F>
Jan 28 11:35:15 mbm2-srv dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=117.50.110.5, lip=192.168.1.254, TLS handshaking: SSL_accept() failed: error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher, session=<gTIAJ6HWMoh1Mm4F>
Jan 28 11:35:16 mbm2-srv dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=117.50.110.5, lip=192.168.1.254, TLS handshaking: SSL_accept() failed: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share, session=<l9UIJ6HW8Ih1Mm4F>

再次感谢你

Answer 1

如果您使用一些新的fail2ban版本，其中dovecot支持aggressive模式，则不需要编写自己的regex。

您可以通过以下方式检查：

fail2ban-regex /path/to/log-or-test-message dovecot[mode=aggressive]

如果您看到matches，那么它对您是有用的，所以只需将其设置在您的jail.local for dovecot中：

[dovecot]
mode = aggressive
...
enabled = true

我发现了这样的东西，但我发现了错误

您的示例似乎不完整(微调？)，无论如何，它没有<ADDR>或<HOST>，而且它可能基本上是为另一个fail2ban版本编写的(您也没有提供)。

无论如何，对于v.0.10或更高版本，它可能看起来类似于这，只是它只与prefregex一起工作，在相同的过滤器中指定了更高的几行，以及那里指定的其他替代变量，并且可能还依赖于公共滤波器包括的版本。

甚至像这样的东西(必须适用于每个版本，不需要包含)：

failregex = ^\s*(?:\S+\s+)?(?:(?:dovecot(?:-auth)?|auth)(?:\[\d+\])?:?\s+)?(?:kernel:\s?\[ *\d+\.\d+\]:?\s+)?(?:(?:dovecot: )?auth(?:-worker)?(?:\([^\)]+\))?: )?(?:pam_unix(?:\(dovecot:auth\))?: |(?:pop3|imap|managesieve|submission)-login: )?(?:Info: )?(?:conn \w+:auth(?:-worker)? \(uid=\w+\): auth(?:-worker)?<\d+>: )?(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)(?::(?: [^ \(]+)+)? \((?:no auth attempts|disconnected before auth was ready,|client didn't finish \S+ auth,)(?: (?:in|waited) \d+ secs)?\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$