HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Programming/Scripts (http://www.howtoforge.com/forums/forumdisplay.php?f=7)
-   -   Fail2Ban dovecot - Filter don`t match (http://www.howtoforge.com/forums/showthread.php?t=61980)

Steve85 26th May 2013 23:22

Fail2Ban dovecot - Filter don`t match
 
Hello Guys,

i want to protect my imap / pop3 access with fail2ban but it looks like that the regex isn`t matching because nothing happens.

For SSH and other services the fail2ban works great.

Example failed Logins:
---
May 26 22:06:29 vs001 dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<peter@63.9>, method=PLAIN, rip=217.133.221.119, lip=80.246.63.9
May 26 22:06:46 vs001 dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<user1@63.9>, method=PLAIN, rip=217.133.221.119, lip=80.246.63.9
May 26 22:07:03 vs001 dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<sanjay@63.9>, method=PLAIN, rip=217.133.221.119, lip=80.246.63.9
May 26 22:07:20 vs001 dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<billing@63.9>, method=PLAIN, rip=217.133.221.119, lip=80.246.63.9
May 26 22:07:37 vs001 dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<admin@63.9>, method=PLAIN, rip=217.133.221.119, lip=80.246.63.9
---

I tried this regex:
Code:

failregex = .*(?:pop3-login|imap-login):.*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
AND this:
Code:

failregex = (?: pop3-login|imap-login): .*(?:Disconnected|Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
Any idea?

Steve85 28th May 2013 13:57

Problem solved.
I had the wrong file :mad::eek:

regex are fine.


All times are GMT +2. The time now is 11:54.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.