[Dovecot] Fail2ban

Henrique Fernandes sf.rique at gmail.com
Fri Jun 11 08:16:26 EEST 2010


My regex to fail2ban for dovecot 2.0beta5 in user in sql base work like
this!

failregex = dovecot: auth: sql.*,<HOST>.*: Password mismatch
>                 dovecot: auth: sql.*,<HOST>.*: unknown user
>

And if you use smtp-auth in postfix truth dovecot here it is my regex for it


failregex = warning:.*\[<HOST>.*: SASL login authentication failed:.*
>

Sorry if this is not what you want!

[]'sf.rique


On Fri, Jun 11, 2010 at 2:00 AM, Jerrale Gayle <
jerralegayle at sheltoncomputers.com> wrote:

> Yeah, you're wrong. With regexp, you can have fail2ban ignore any part of
> the log
> file, as in ANYTHING containing text around anything will be caught. You
> can have fail2ban ban every ip address that shows up in the log!
>
>
>
>
> On 6/10/2010 5:38 PM, fakessh wrote:
>
>> "hi dovecot network
>>
>> the principle of fail2ban is repeated for connections with the same login
>> fail2ban does not work if the attack changes to login every time
>> this type of attack is rather to find valid user accounts"
>>
>>
>
>  I may be wrong, I hope I too am a victim of this kind of attacks
>>
>>
>
>  Yeah, you're wrong. With regexp, you can have fail2ban ignore any part of
>> the log
>> file, as in ANYTHING containing text around anything will be caught. You
>> can have fail2ban ban every ip address that shows up in the log!
>>
>>
>
>
>


More information about the dovecot mailing list