On Mon, December 18, 2017 9:40 am, Bill Shirley wrote:
Copy dovecot-pop3imap.conf to dovecot-pop3imap.local. Edit dovecot-pop3imap.local and add to the failregex: dovecot:.+auth failed.+rip=<HOST>
Then run: fail2ban-regex /var/log/dovecot.log /etc/fail2ban/filter.d/dovecot-pop3imap.local and see if you get any matches.
Bill, thanks for trying to help, sorry for dumb question
shouldn't '.local' be in /etc/fail2ban/ rather than /etc/fail2ban/filter.d/ ?
I've copied it to /etc/fail2ban/, as that's where my other .local is ??
and, not sure where to add, tried 3 different places, including at the end, but, getting:
in /etc/fail2ban/ (before addition) # cat dovecot-pop3imap.local [Definition] failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.* ignoreregex =
# cat dovecot-pop3imap.local [Definition] failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*,dovecot:.+auth failed.+rip=<HOST> ignoreregex =
# fail2ban-regex /var/log/dovecot.log /etc/fail2ban/dovecot-pop3imap.local
Running tests
Use failregex file : /etc/fail2ban/dovecot-pop3imap.local Traceback (most recent call last): File "/bin/fail2ban-regex", line 34, in <module> exec_command_line() File "/usr/lib/python2.7/site-packages/fail2ban/client/fail2banregex.py", line 598, in exec_command_line if not fail2banRegex.start(opts, args): File "/usr/lib/python2.7/site-packages/fail2ban/client/fail2banregex.py", line 501, in start if not self.readRegex(cmd_regex, 'fail'): File "/usr/lib/python2.7/site-packages/fail2ban/client/fail2banregex.py", line 322, in readRegex 'add%sRegex' % regextype.title())(regex.getFailRegex()) File "/usr/lib/python2.7/site-packages/fail2ban/server/filter.py", line 113, in addFailRegex raise e fail2ban.server.failregex.RegexException: Unable to compile regular expression '(?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*,dovecot:.+auth failed.+rip=(?:::f{4,6}:)?(?P<host>[\w\-.^_]*\w)'