Thanks I have already fixed this as with my reply to Noel, his suggestion works and, as with like your example which is same as Noels first, and as he correctly it seems mentions with my tests with fail2ban-regex, it only sees TLS, the deadbeats trying to brute force me, never seem to use that, so it requires what Noel suggested, a repeat without the end ,.* as well, and our OS not using pam, so wouldnt need that
thanks anyway
On 10/5/13, Oscar del Rio <delrio@mie.utoronto.ca> wrote:
On 04/10/2013 1:47 AM, Nick Edwards wrote:
filter.d/dovecot.conf [Definition] failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.* ignoreregex =
The following is included with fail2ban 0.8.10
filters.d/dovecot.conf
Fail2Ban configuration file for dovcot
Author: Martin Waschbuesch
[Definition]
Option: failregex
Notes.: regex to match the password failures messages in the logfile.
The
host must be matched by a group named "host". The tag
"<HOST>" can
be used for standard IP/hostname matching and is only an
alias for
(?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
Values: TEXT
failregex = .*(?:pop3-login|imap-login):.*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*\s+rip=(?P<host>\S*),.* pam.*dovecot.*(?:authentication failure).*\s+rhost=<HOST>(?:\s+user=.*)?\s*$
Option: ignoreregex
Notes.: regex to ignore. If this regex matches, the line is ignored.
Values: TEXT
ignoreregex =