View Single Post
  #1  
Old 26th May 2013, 22:22
Steve85 Steve85 is offline
Junior Member
 
Join Date: Apr 2013
Posts: 23
Thanks: 0
Thanked 0 Times in 0 Posts
Post Fail2Ban dovecot - Filter don`t match

Hello Guys,

i want to protect my imap / pop3 access with fail2ban but it looks like that the regex isn`t matching because nothing happens.

For SSH and other services the fail2ban works great.

Example failed Logins:
---
May 26 22:06:29 vs001 dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<peter@63.9>, method=PLAIN, rip=217.133.221.119, lip=80.246.63.9
May 26 22:06:46 vs001 dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<user1@63.9>, method=PLAIN, rip=217.133.221.119, lip=80.246.63.9
May 26 22:07:03 vs001 dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<sanjay@63.9>, method=PLAIN, rip=217.133.221.119, lip=80.246.63.9
May 26 22:07:20 vs001 dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<billing@63.9>, method=PLAIN, rip=217.133.221.119, lip=80.246.63.9
May 26 22:07:37 vs001 dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<admin@63.9>, method=PLAIN, rip=217.133.221.119, lip=80.246.63.9
---

I tried this regex:
Code:
failregex = .*(?:pop3-login|imap-login):.*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
AND this:
Code:
failregex = (?: pop3-login|imap-login): .*(?:Disconnected|Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
Any idea?
Reply With Quote
Sponsored Links