Anonymous | Login | 2024-12-22 00:21 MST |
Main | My View | View Issues | Change Log | Roadmap | Repositories |
View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
ID | Project | Category | View Status | Date Submitted | Last Update | ||||
0022541 | ClearOS | app-imap - IMAP and POP Server | public | 2018-12-10 14:35 | 2019-05-03 02:01 | ||||
Reporter | NickH | ||||||||
Assigned To | NickH | ||||||||
Priority | normal | Severity | minor | Reproducibility | always | ||||
Status | closed | Resolution | fixed | ||||||
Platform | OS | OS Version | |||||||
Product Version | 7.5.0 Updates | ||||||||
Target Version | 7.5.0 Updates | Fixed in Version | 7.5.0 Updates | ||||||
Summary | 0022541: filter for cyrus-imap jail does not work | ||||||||
Description | The default filter for the cyrus-imap jail in /etc/fail2ban/filter.d/cyrus-imap.conf does not work on our logs. The filter is: failregex = ^%(__prefix_line)sbadlogin: \S+ ?\[<HOST>\] \S+ .*?\[?SASL\(-13\): (authentication failure|user not found): .*\]?$ Typical failure lines are POP failed logins are: Dec 7 15:39:29 mail pop3[21087]: badlogin: [129.145.7.35] plaintext champagne SASL(-13): authentication failure: checkpass failed Dec 7 15:39:29 mail pop3[21089]: badlogin: [129.145.7.35] plaintext harold SASL(-13): authentication failure: checkpass failed Dec 7 15:39:29 mail pop3[21090]: badlogin: [129.145.7.35] plaintext crystal SASL(-13): authentication failure: checkpass failed Dec 7 15:39:29 mail pop3[21088]: badlogin: [129.145.7.35] plaintext bob SASL(-13): authentication failure: checkpass failed These do not get detected. If the filter is changed to: failregex = ^%(__prefix_line)sbadlogin: .*\[<HOST>\] \S+ .*?\[?SASL\(-13\): (authentication failure|user not found): .*\]?$ the lines are then detects. The problem is the first \S (non-whitespace character) where our logs only have a space between "badlogin:" and the IP address. If you change the \S for a ".*", everything that would have been picked up by the first filter still gets picked up, and our log failures get detected. There seem to be three approaches to fix this: 1 - get upstream to fix (good luck) 2 - add an /etc/fail2ban/filter.d/cyrus-imap.local with a modified filter. This is what I do (and have done for a couple of years) 3 - add a filter to /etc/fail2ban/jail.d/clearos-cyrus-imap.conf. I don't know if this will work, but I think it will. I think it takes precedence over /etc/fail2ban/filter.d/cyrus-imap.conf but defers to /etc/fail2ban/filter.d/cyrus-imap.local which should be under the user's control. This needs testing, but would be the ideal route as ClearOS can override upstream and the user can still override ClearOS. | ||||||||
Tags | No tags attached. | ||||||||
Attached Files | |||||||||
Notes | |
(0008691) NickH (developer) 2018-12-11 04:37 |
I have subsequently determined that the issue could also be fixed by pushing fail2ban-server-0.9.7-1.el7.noarch through from epel-unverified. In that case my patch to app-imap can be backed out. |
(0008721) NickH (developer) 2018-12-14 12:37 |
Now fixed as app-imap-2.5.8 in updates testing. Also needs fail2ban-server-0.9.7 from epel unverified |
(0008791) NickH (developer) 2019-02-01 12:31 |
Resolved by releasing fail2ban-server-0.9.7 from ELEP |
Issue History | |||
Date Modified | Username | Field | Change |
2018-12-10 14:35 | NickH | New Issue | |
2018-12-11 02:38 | NickH | Category | app-attack-detector - Attack Detector => app-imap - IMAP and POP Server |
2018-12-11 04:37 | NickH | Note Added: 0008691 | |
2018-12-14 12:36 | dloper | Target Version | => 7.5.0 Updates |
2018-12-14 12:37 | NickH | Note Added: 0008721 | |
2019-02-01 12:31 | NickH | Note Added: 0008791 | |
2019-02-01 12:31 | NickH | Status | new => resolved |
2019-02-01 12:31 | NickH | Fixed in Version | => 7.5.0 Updates |
2019-02-01 12:31 | NickH | Resolution | open => fixed |
2019-02-01 12:31 | NickH | Assigned To | => NickH |
2019-05-03 02:01 | NickH | Status | resolved => closed |