On Fri, May 22, 2020 4:01 pm, Adi Pircalabu wrote:
Results
Failregex: 5149 total
[...]
Lines: 338975 lines, 0 ignored, 5149 matched, 333826 missed [processed in 87.44 sec]
Right, so it's not a regex problem then, you're getting some matches there, although you might want to revisit it it the result is not consistent with your own searches. It might be that Dovecot isn't logging to systemd' journal, or the regex doesn't match the journal entries. Try to comment out "journalmatch = _SYSTEMD_UNIT=dovecot.service" entry in your filter file, restart f2b and see if there's any change. P.S. Let's try and keep the replies to the list :)
Adi,
this is what I got, lot faster as well
Running tests
Use failregex filter file : dovecot, basedir: /etc/fail2ban Use datepattern : Default Detectors Use log file : /var/log/dovecot.log Use encoding : UTF-8
Results
Failregex: 5177 total |- #) [# of hits] regular expression | 2) [5177] ^(?:\[\])?\s*(?:<[^.]+\.[^.]+>\s+)?(?:\S+\s+)?(?:kernel:\s?\[ *\d+\.\d+\]:?\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?\S*(?:\(\S+\))?[\]\)]?:?|[\[\(]?\S*(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID \d+ \S+\]\s+)?(?:pop3|imap)-login: (?:Info: )?(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<[^>]+>,)?( method=\S+,)? rip=<HOST>(?:, lip=\S+)?(?:, TLS(?: handshaking(?:: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$ `-
Ignoreregex: 0 total
Date template hits: |- [# of hits] date format | [343387] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)? `-
Lines: 343387 lines, 0 ignored, 5177 matched, 338210 missed [processed in 85.97 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 338210 lines