Fail2ban Debian stretch roundcube-auth failregex 不起作用

Fail2ban Debian stretch roundcube-auth failregex 不起作用

Debian Stretch - roundcube-auth 不会禁止来自 IP 的失败登录。看来 fileregex 与记录的失败登录不匹配。

来自 roundcube 的 /var/log/mail.log 中的登录失败就像

Mar 30 16:15:31 debian roundcube[13209]: <ppt6hqpa> IMAP Error: Login failed for [email protected] against localhost from 255.255.255.255. LOGIN: Login failed. in /var/www/html/roundcube/program/lib/Roundcube/rcube_imap.php on line 200 (POST /roundcube/?_task=login&_action=login)
Mar 30 16:15:32 debian roundcube[13209]: <ppt6hqpa> Failed login for [email protected] from 255.255.255.255 in session ppt6hqpajq3nup5v (error: 0)

fail2ban-roundcube-auth.conf

[INCLUDES]

before = common.conf

[Definition]
failregex = ^\s*(\[\])?(%(__hostname)s\s*(roundcube:)?\s*(<[\w]+>)? IMAP Error)?: (FAILED login|Login failed) for .*? from <HOST>(\. .* in .*?/rcube_imap\.php on line \d+ \(\S+ \S+\))?$
                ^\[\]:\s*(<[\w]+>)? Failed login for [\w\-\.\+]+(@[\w\-\.\+]+\.[a-zA-Z]{2,6})? from <HOST> in session \w+( \(error: \d\))?$

fail2ban-jail.conf

[roundcube-auth]

port     = http,https
#logpath  = %(roundcube_errors_log)s
logpath  = /var/log/mail.log
enabled = true
maxretry = 2
bantime = 3600

fail2ban-客户端状态

fail2ban-client status
Status
|- Number of jail:      9
`- Jail list:   apache-badbots, courier-auth, postfix, postfix-ispmail, postfix-sasl, proftpd, roundcube-auth, squirrelmail, sshd

fail2ban-客户端状态 roundcube-auth

Status for the jail: roundcube-auth
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /var/log/mail.log
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

答案1

我已将 fileregex 更改为

failregex = IMAP Error: Login failed for .* from <HOST>(\. .* in .*?/rcube_imap\.php on line \d+ \(\S+ \S+\))?$

并开始发挥作用

相关内容