Bill Landry wrote:
Lou Duchez wrote:
Is there any way to disable the "dovecot: " at the beginning of each line of the log? Fail2Ban responds poorly to it. I know there are a number of sites with "failregex" strings for Fail2Ban and Dovecot, but I've tried them all, and they don't work, at least with the latest Fail2ban and the latest Dovecot. The Fail2Ban wiki is pretty clear about why there will be a problem:
"In order for a log line to match your failregex, it actually has to match in two parts: the beginning of the line has to match a timestamp pattern or regex, and the remainder of the line has to match your failregex.".
So in other words, Fail2Ban expects that each line of the log will start with a timestamp.
Hmmm, I'm using:
dovecot --version 1.2.rc3
rpm -q fail2ban fail2ban-0.8.3-18.fc10.noarch
and this seems to work just fine for me:
failregex = auth.*passwd.*,<HOST>\).*(unknown user|Password mismatch)
in my /etc/fail2ban/filter.d/dovecot.conf.
Oh, and you can test this with:
fail2ban-regex /path/to/dovecot.log "auth.*passwd.*,<HOST>\).*(unknown user|Password mismatch)"
Adjust the path in the string above to point to your dovecot.log file.
Bill