search

glenpp / cacti-uloganalyser

Cacti Templates, data collection with Universal Loganalyser and plugins via SNMP
GNU General Public License v2.0
5 stars 4 forks source link

Dovecot plugin failed login are not parsed correctly #12

Closed methilnet closed 6 years ago

methilnet commented 6 years ago

The dovecot plugin auth section is not parsing correctly failed login. Everything is tag under dovecot:auth:disallowedchar instead of unknow user and password mismatch.

Log sample

May 30 10:28:00 machinenamesvr01 dovecot: auth-worker(15299): sql(unknown@user.com,123.123.123.123,<jQRvKG1tzuWuW+tI>): unknown user May 30 10:28:52 machinenamesvr01 dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 52 secs): user=unknown@user.com, method=PLAIN, rip=123.123.123.123, lip=321.321.321.321, session=<jQRvKG1tzuWuW+tI> May 30 10:29:00 machinenamesvr01 dovecot: auth-worker(15299): sql(unknown@user.com,123.123.123.123,<39ACLG1t0OWuW+tI>): unknown user May 30 10:29:09 machinenamesvr01 dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 9 secs): user=unknown@user.com, method=PLAIN, rip=123.123.123.123, lip=321.321.321.321, session=<39ACLG1t0OWuW+tI> May 30 10:30:00 machinenamesvr01 dovecot: auth-worker(15299): sql(unknown@user.com,123.123.123.123,<6GqWL21t0eWuW+tI>): unknown user May 30 10:30:52 machinenamesvr01 dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 52 secs): user=unknown@user.com, method=PLAIN, rip=123.123.123.123, lip=321.321.321.321, session=<6GqWL21t0eWuW+tI> May 30 10:31:00 machinenamesvr01 dovecot: auth-worker(15299): sql(unknown@user.com,123.123.123.123,<gDEqM21t0uWuW+tI>): unknown user May 30 10:31:52 machinenamesvr01 dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 52 secs): user=unknown@user.com, method=PLAIN, rip=123.123.123.123, lip=321.321.321.321, session=<gDEqM21t0uWuW+tI> May 30 10:32:00 machinenamesvr01 dovecot: auth-worker(15299): sql(unknown@user.com,123.123.123.123,<XgO+Nm1t0+WuW+tI>): unknown user May 30 10:32:37 machinenamesvr01 dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 37 secs): user=unknown@user.com, method=PLAIN, rip=123.123.123.123, lip=321.321.321.321, session=<XgO+Nm1t0+WuW+tI> May 30 10:33:00 machinenamesvr01 dovecot: auth-worker(15299): sql(unknown@user.com,123.123.123.123,<xsxROm1t1eWuW+tI>): unknown user May 30 10:33:52 machinenamesvr01 dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 52 secs): user=unknown@user.com, method=PLAIN, rip=123.123.123.123, lip=321.321.321.321, session=<xsxROm1t1eWuW+tI> May 30 10:34:00 machinenamesvr01 dovecot: auth-worker(15299): sql(unknown@user.com,123.123.123.123,<l33lPW1t1uWuW+tI>): unknown user May 30 10:34:52 machinenamesvr01 dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 52 secs): user=unknown@user.com, method=PLAIN, rip=123.123.123.123, lip=321.321.321.321, session=<l33lPW1t1uWuW+tI> May 30 10:35:00 machinenamesvr01 dovecot: auth-worker(15299): sql(unknown@user.com,123.123.123.123,<jEJ5QW1t1+WuW+tI>): unknown user May 30 10:35:52 machinenamesvr01 dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 52 secs): user=unknown@user.com, method=PLAIN, rip=123.123.123.123, lip=321.321.321.321, session=<jEJ5QW1t1+WuW+tI>

May 30 10:50:26 machinenamesvr01 dovecot: auth-worker(15299): sql(badpassword@nogood.com,123.123.123.123,): Password mismatch May 30 10:50:28 machinenamesvr01 dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 17 secs): user=badpassword@nogood.com, method=PLAIN, rip=123.123.123.123, lip=321.321.321.321, session= May 30 10:50:43 machinenamesvr01 dovecot: auth-worker(15299): sql(badpassword@nogood.com,123.123.123.123,<Z0HJeG1tY/ltSAGL>): Password mismatch May 30 10:50:45 machinenamesvr01 dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 17 secs): user=badpassword@nogood.com, method=PLAIN, rip=123.123.123.123, lip=321.321.321.321, session=<Z0HJeG1tY/ltSAGL> May 30 10:51:00 machinenamesvr01 dovecot: auth-worker(15299): sql(badpassword@nogood.com,123.123.123.123,): Password mismatch May 30 10:51:02 machinenamesvr01 dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 17 secs): user=badpassword@nogood.com, method=PLAIN, rip=123.123.123.123, lip=321.321.321.321, session= May 30 10:51:17 machinenamesvr01 dovecot: auth-worker(15299): sql(badpassword@nogood.com,123.123.123.123,): Password mismatch May 30 10:51:19 machinenamesvr01 dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 17 secs): user=badpassword@nogood.com, method=PLAIN, rip=123.123.123.123, lip=321.321.321.321, session= May 30 10:51:34 machinenamesvr01 dovecot: auth-worker(15299): sql(badpassword@nogood.com,123.123.123.123,): Password mismatch May 30 10:51:36 machinenamesvr01 dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 17 secs): user=badpassword@nogood.com, method=PLAIN, rip=123.123.123.123, lip=321.321.321.321, session= May 30 10:51:51 machinenamesvr01 dovecot: auth-worker(15299): sql(badpassword@nogood.com,123.123.123.123,): Password mismatch May 30 10:51:53 machinenamesvr01 dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 17 secs): user=badpassword@nogood.com, method=PLAIN, rip=123.123.123.123, lip=321.321.321.321, session=

methilnet commented 6 years ago

Forgot to mention : dovecot 2.2.34 and dont have any disallowed char in my dovecot log.

glenpp commented 6 years ago

Excellent bug report - I've been able to use these redacted log lines as test input for the update. Just pushed an update dovecot.pm which has hast about 24hr of testing on my systems, so hopefully works for you. Re-open this if the problem is not fully solved.