11 Sep
2017
11 Sep
'17
10:38 a.m.
Many thanks Christian.
Added that, but it still doesn’t match:
$ fail2ban-regex "Sep 11 15:52:49 mail dovecot[54239]: auth-worker(10094): sql(user@bordo.com.au,::1,L2xqieNYeM4AAAAAAAAAAAAAAAAAAAAB>): Password mismatch (given password: 2)" "^%(__prefix_line)sauth: Info: sql\(\S+,<HOST>,\<\S+\>\): (Password mismatch|unknown user)( \((SHA1 of given password: [0-9a-f]{5,40}|given password: \w*)\))?$" Your log has "auth-worker(10094): sql" whereas the fail2ban regex has ")sauth: Info: sql\(\". When you change that to ")sauth-worker: sql\(\" does it work then?
Try to reduce the regex to a working minimum and then add parts back until it breaks...
[...]
Any other suggestions?
Thanks,
James.
-- Christian Kivalo