samwiseetc/fail2ban/filter.d/dovecot.conf

# Fail2Ban filter Dovecot authentication and pop3/imap server
#

[INCLUDES]

before = common.conf

[Definition]

_daemon = (auth|dovecot(-auth)?|auth-worker)

failregex = ^%(__prefix_line)s(?:%(__pam_auth)s(?:\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(?:\s+user=\S*)?\s*$
            ^%(__prefix_line)s(?:pop3|imap)-login: (?:Info: )?(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<[^>]+>,)?( method=\S+,)? rip=<HOST>(?:, lip=\S+)?(?:, TLS(?: handshaking(?:: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$
            ^%(__prefix_line)s(?:Info|dovecot: auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$
            ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): (?:pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$
            ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): Info: ldap\(\S*,<HOST>,\S*\): invalid credentials\s*$

ignoreregex = 

[Init]

journalmatch = _SYSTEMD_UNIT=dovecot.service

# DEV Notes:
# * the first regex is essentially a copy of pam-generic.conf
# * Probably doesn't do dovecot sql/ldap backends properly (resolved in edit 21/03/2016)
# * Removed the 'no auth attempts' log lines from the matches because produces
#    lots of false positives on misconfigured MTAs making regexp unusable
#
# Author: Martin Waschbuesch
#         Daniel Black (rewrote with begin and end anchors)
#         Martin O'Neal (added LDAP authentication failure regex)
#         Sergey G. Brester aka sebres (reviewed, optimized, IPv6-compatibility)
Initial commit 7 years ago			`# Fail2Ban filter Dovecot authentication and pop3/imap server`
			`#`

			`[INCLUDES]`

			`before = common.conf`

			`[Definition]`

			`_daemon = (auth\|dovecot(-auth)?\|auth-worker)`

			`failregex = ^%(__prefix_line)s(?:%(__pam_auth)s(?:\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(?:\s+user=\S)?\s$`
			`^%(__prefix_line)s(?:pop3\|imap)-login: (?:Info: )?(?:Aborted login\|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts( in \d+ secs)?\|tried to use (disabled\|disallowed) \S+ auth)\):( user=<[^>]+>,)?( method=\S+,)? rip=<HOST>(?:, lip=\S+)?(?:, TLS(?: handshaking(?:: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$`
			`^%(__prefix_line)s(?:Info\|dovecot: auth\(default\)\|auth-worker\(\d+\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)\|Authentication failure \(password mismatch\?\))\s*$`
			`^%(__prefix_line)s(?:auth\|auth-worker\(\d+\)): (?:pam\|passwd-file)\(\S+,<HOST>\): unknown user\s*$`
			`^%(__prefix_line)s(?:auth\|auth-worker\(\d+\)): Info: ldap\(\S,<HOST>,\S\): invalid credentials\s*$`

			`ignoreregex =`

			`[Init]`

			`journalmatch = _SYSTEMD_UNIT=dovecot.service`

			`# DEV Notes:`
			`# * the first regex is essentially a copy of pam-generic.conf`
			`# * Probably doesn't do dovecot sql/ldap backends properly (resolved in edit 21/03/2016)`
			`# * Removed the 'no auth attempts' log lines from the matches because produces`
			`# lots of false positives on misconfigured MTAs making regexp unusable`
			`#`
			`# Author: Martin Waschbuesch`
			`# Daniel Black (rewrote with begin and end anchors)`
			`# Martin O'Neal (added LDAP authentication failure regex)`
			`# Sergey G. Brester aka sebres (reviewed, optimized, IPv6-compatibility)`