Fail2Ban dovecot - Filter don`t match

Discussion in 'Programming/Scripts' started by Steve85, May 26, 2013.

  1. Steve85

    Steve85 New Member

    Hello Guys,

    i want to protect my imap / pop3 access with fail2ban but it looks like that the regex isn`t matching because nothing happens.

    For SSH and other services the fail2ban works great.

    Example failed Logins:
    ---
    May 26 22:06:29 vs001 dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<peter@63.9>, method=PLAIN, rip=217.133.221.119, lip=80.246.63.9
    May 26 22:06:46 vs001 dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<user1@63.9>, method=PLAIN, rip=217.133.221.119, lip=80.246.63.9
    May 26 22:07:03 vs001 dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<sanjay@63.9>, method=PLAIN, rip=217.133.221.119, lip=80.246.63.9
    May 26 22:07:20 vs001 dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<billing@63.9>, method=PLAIN, rip=217.133.221.119, lip=80.246.63.9
    May 26 22:07:37 vs001 dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<admin@63.9>, method=PLAIN, rip=217.133.221.119, lip=80.246.63.9
    ---

    I tried this regex:
    Code:
    failregex = .*(?:pop3-login|imap-login):.*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
    AND this:
    Code:
    failregex = (?: pop3-login|imap-login): .*(?:Disconnected|Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
    Any idea?
     
  2. Steve85

    Steve85 New Member

    Problem solved.
    I had the wrong file :mad::eek:

    regex are fine.
     

Share This Page