[Dovecot] Fail2ban and logging

14 Jul 2013 · *(?:pop3-login|imap-login):.*


      Hello,
Dovecot is logging authentication failures this way:
Jul 12 18:07:19 vps0 dovecot: imap-login: Disconnected (auth failed, 22
attempts in 172 secs): user=<info>, method=PLAIN, rip=82.95.148.152,
lip=1.2.3.4, TLS, session=<QylMqlLhVwBSX5SY>
Fail2ban is trying to catch them with this regex:
failregex = .*(?:pop3-login|imap-login):.*(?:Authentication
failure|Aborted login \(auth failed|Aborted login \(tried to use
disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
This way fail2ban is counting 22 attempts as 1 attempt...
I expect I need to change something on the logging, so that every
attempt is seperate logged. But I don't know how.
Is here somebody who knows how to get fail2ban correct working?
No help on this on the wiki's:
http://wiki1.dovecot.org/HowTo/Fail2Ban
http://wiki1.dovecot.org/Logging
http://www.fail2ban.org/wiki/index.php/Dovecot
With regards,
Paul van der Vlis.
--
Paul van der Vlis Linux systeembeheer, Groningen
http://www.vandervlis.nl/

[Dovecot] Fail2ban and logging

Paul van der Vlis

Dovecot is logging authentication failures this way:

Jul 12 18:07:19 vps0 dovecot: imap-login: Disconnected (auth failed, 22 attempts in 172 secs): user=<info>, method=PLAIN, rip=82.95.148.152, lip=1.2.3.4, TLS, session=<QylMqlLhVwBSX5SY>

Fail2ban is trying to catch them with this regex:

failregex = .*(?:pop3-login|imap-login):.*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*

failregex = .(?:pop3-login|imap-login):.(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).rip=(?P<host>\S),.*