i have a dovecot logfile which contains entrys like this:
Jun 1 04:16:24 mail dovecot: auth-worker(3158): sql(ryan,193.42.32.170): unknown user (given password: ryan)
i want to create a fail2ban filter that blocks any login attempts where username is same as given password, so far i have:
failregex = auth-worker.*,<HOST>,.* (Password mismatch|unknown user) .*given password: ryan.*
this only works fo this specific password, but i want it to work with any combination of username/password is the same to block dictionary attacks
The current regex is working, but its very limited in a usecase
You can capture the user in a named capturing group with this syntax :
(?P<group_name> ... )where...is your pattern.Then, you can re-use this captured content in the rest of the pattern, by using a named backreference like this :
(?P=group_name)So for your example, I presume the user is next to the IP address, in bold here :
Jun 1 04:16:24 mail dovecot: auth-worker(3158): sql(ryan,193.42.32.170): unknown user (given password: ryan)
If this is the case, then you can use this regular expression :
I don't know how you enable the case-insensitive flag in fail2ban, but I was a bit surprised with the capital "P" on "Password mismatch". You might have to play around with this:
https://regex101.com/r/pTXjmM/1
Also check that the username pattern is valid. Here I just used
\w+but maybe your users can use other characters. And if you have IPv6, you'll have to adapt the capturing ip group, as I presume that you need it to ban it.