Thanks I have already fixed this as with my reply to Noel, his suggestion works and, as with like your example which is same as Noels first, and as he correctly it seems mentions with my tests with fail2ban-regex, it only sees TLS, the deadbeats trying to brute force me, never seem to use that, so it requires what Noel suggested, a repeat without the end ,.* as well, and our OS not using pam, so wouldnt need that
thanks anyway
On 10/5/13, Oscar del Rio delrio@mie.utoronto.ca wrote:
On 04/10/2013 1:47 AM, Nick Edwards wrote:
filter.d/dovecot.conf [Definition] failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.* ignoreregex =
The following is included with fail2ban 0.8.10
filters.d/dovecot.conf
# Fail2Ban configuration file for dovcot # # Author: Martin Waschbuesch # #
[Definition]
# Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # failregex = .*(?:pop3-login|imap-login):.*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*\s+rip=(?P<host>\S*),.* pam.*dovecot.*(?:authentication failure).*\s+rhost=<HOST>(?:\s+user=.*)?\s*$
# Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =