From b7cb4ac9d5a2cb340df73874b5f9c82714df9f1a Mon Sep 17 00:00:00 2001 From: andryyy Date: Sun, 2 Jul 2017 11:10:35 +0200 Subject: [PATCH] [Fail2ban] Added more regex to match failed or disallowed logins to Dovecot, changed Mailcow to mailcow --- data/Dockerfiles/fail2ban/logwatch.py | 5 ++++- data/web/inc/functions.inc.php | 4 ++-- docker-compose.yml | 2 +- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/data/Dockerfiles/fail2ban/logwatch.py b/data/Dockerfiles/fail2ban/logwatch.py index 5dec15e2..74bc26b5 100644 --- a/data/Dockerfiles/fail2ban/logwatch.py +++ b/data/Dockerfiles/fail2ban/logwatch.py @@ -40,8 +40,11 @@ RULES[php_fpm_container] = {} RULES[postfix_container][1] = 'warning: .*\[([0-9a-f\.:]+)\]: SASL .* authentication failed' RULES[dovecot_container][1] = '-login: Disconnected \(auth failed, .*\): user=.*, method=.*, rip=([0-9a-f\.:]+),' +RULES[dovecot_container][2] = '-login: Disconnected \(no auth .+\): user=.+, rip=([0-9a-f\.:]+), lip.+' +RULES[dovecot_container][3] = '-login: Aborted login \(no auth .+\): user=.+, rip=([0-9a-f\.:]+), lip.+' +RULES[dovecot_container][4] = '-login: Aborted login \(tried to use disallowed .+\): user=.+, rip=([0-9a-f\.:]+), lip.+' RULES[sogo_container][1] = 'SOGo.* Login from \'([0-9a-f\.:]+)\' for user .* might not have worked' -RULES[php_fpm_container][1] = 'Mailcow UI: Invalid password for .* by ([0-9a-f\.:]+)' +RULES[php_fpm_container][1] = 'mailcow UI: Invalid password for .* by ([0-9a-f\.:]+)' r.setnx("F2B_BAN_TIME", "1800") diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php index 948214e9..8e7b7cfd 100644 --- a/data/web/inc/functions.inc.php +++ b/data/web/inc/functions.inc.php @@ -229,11 +229,11 @@ function check_login($user, $pass) { } if (!isset($_SESSION['ldelay'])) { $_SESSION['ldelay'] = "0"; - error_log("Mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']); + error_log("mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']); } elseif (!isset($_SESSION['mailcow_cc_username'])) { $_SESSION['ldelay'] = $_SESSION['ldelay']+0.5; - error_log("Mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']); + error_log("mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']); } sleep($_SESSION['ldelay']); } diff --git a/docker-compose.yml b/docker-compose.yml index d69bdc3f..853dbc36 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -319,7 +319,7 @@ services: - acme fail2ban-mailcow: - image: mailcow/fail2ban:1.5 + image: mailcow/fail2ban:1.4 build: ./data/Dockerfiles/fail2ban depends_on: - dovecot-mailcow