On Fri, 2013-10-04 at 15:47 +1000, Nick Edwards wrote:
For dovecot 2.1
as per wiki2, is this still valid? noticed a problem before and saw it does seem to be triggering, I use:
looks out dated
filter.d/dovecot.conf
That'll never work, you need to change
[Definition] failregex = (?: pop3-login|imap-login): (?:Authentication to
failregex = (?: pop3-login|imap-login): .*(?:Authentication ^^
BUT, then, with the rest of your regex, it will only partly match because its looking for ", something" like " ,TLS" at the end which wont appear on failed imap/pop3 logins that dont use TLS, etc, so any failed attempts using TLs, will be found, if they are not using it, they will be missed (most miscreants likely wont be using it anyway)
I am NO python expert, in fact, I know less than less about python, so
you'll best need to wait for someone who knows the answer, or ask on
fail2ban list, on how you can change that to match both, by changing
the last bit to
\(auth failed).*rip=(?P<host>\S*)
in meantime, you could repeat your failregex, like
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure| Aborted login \(auth failed|Aborted login \(tried to use disabled| Disconnected \(auth failed).*rip=(?P<host>\S*),.* (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*)
I think thats horrible, messy, yukky, but it likely might work :) at least until you find a better answer, there are some fail2ban fanbois on this list, but as its the weekend, you may need to be patient.