[筆記]fail2ban 阻擋sasl登入失敗的正規化語法

2013-10-16

一直以來都找不到fail2ban 去阻擋SASL認證失敗的語法，網路上之前看到的都是這幾篇

http://blog.xuite.net/pippeng/blog/63675336-Fail2Ban+for+Dovecot%3E

http://wiki.dovecot.org/HowTo/Fail2Ban

今天驚覺其實是我想錯了，這個應該不關dovecot的事！

應該是要找SASL認證錯誤的語法才對

不過dovecot預設的好像也有問題

所以我找到了這篇

http://www.howtoforge.com/forums/showthread.php?t=51349

發現了這個語法

failregex = (?i): warning: [-._\w]+[<HOST>]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed: \w
然後測試了一下
Running tests

=============

Use regex file : /etc/fail2ban/filter.d/dovecot-pop3imap.conf

Use log file : /var/log/maillog

Results

=======

Failregex

|- Regular expressions:

| [1] (?i): warning: [-._\w]+[<HOST>]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed: \w

|

`- Number of matches:

[1] 450 match(es)

Ignoreregex

|- Regular expressions:

|

`- Number of matches:

Summary

=======

Addresses found:

[1]

199.36.73.98 (Wed Oct 16 01:30:56 2013)

中間省略數百筆

223.198.165.194 (Wed Oct 16 01:47:37 2013)

再次省略數百筆

113.59.11.87 (Wed Oct 16 03:47:28 2013)

省略數百筆

114.250.15.84 (Wed Oct 16 10:51:30 2013)

省略數百筆

接下來就放著讓fail2ban 去跑跑看囉！

jsonContent: meta: false pages: false posts: title: true date: true path: true text: false raw: false content: false slug: false updated: false comments: false link: false permalink: false excerpt: false categories: false tags: true