I'm trying to set up fail2ban with dovecot, I have it working on 'old' server Centos 6, but, not getting anywhere with 'new' server on Centos 7 using standard filters

I've copied same 'filter' to new server, still get nothing any idea how to figure this out ?

on old server, it logs to syslog/messages CentOS release 6.10 (Final) dovecot 2.3.10.1 (a3d0e1171)

old # fail2ban-client status dovecot Status for the jail: dovecot |- Filter | |- Currently failed: 2 | |- Total failed: 168 | - File list: /var/log/dovecot.log - Actions |- Currently banned: 0 |- Total banned: 32 `- Banned IP list:

on new server CentOS Linux release 7.8.2003 dovecot 2.3.10.1 (a3d0e1171) nothing shows up in fail2ban log (ssh, postfix does, only no dovecot) I've copied the actual /etc/fail2ban/filter.d/dovecot.conf from old server, still nothing not sure where/how to look is there a standard/approved doveot filter..?

cat jail.local ... [dovecot] enabled = true filter = dovecot logpath = /var/log/dovecot.log maxretry = 3 ignoreip = 127.0.0.1 127.0.0.0/8 ...

# fail2ban-client status dovecot Status for the jail: dovecot |- Filter | |- Currently failed: 0 | |- Total failed: 0 | - Journal matches: _SYSTEMD_UNIT=dovecot.service - Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list:

# grep 'auth failed' /var/log/dovecot.log | wc 7669 149916 1558909

# cat dovecot.conf

# Fail2Ban filter Dovecot authentication and pop3/imap server #

[INCLUDES]

before = common.conf

[Definition]

_daemon = (auth|dovecot(-auth)?|auth-worker)

failregex = ^%(__prefix_line)s(?:%(__pam_auth)s(?:\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(?:\s+user=\S*)?\s*$ ^%(__prefix_line)s(?:pop3|imap)-login: (?:Info: )?(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<[^>]+>,)?( method=\S+,)? rip=<HOST>(?:, lip=\S+)?(?:, TLS(?: handshaking(?:: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$ ^%(__prefix_line)s(?:Info|dovecot: auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$ ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): (?:pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$ ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): Info: ldap\(\S*,<HOST>,\S*\): invalid credentials\s*$

ignoreregex =

[Init]

journalmatch = _SYSTEMD_UNIT=dovecot.service

# DEV Notes: # * the first regex is essentially a copy of pam-generic.conf # * Probably doesn't do dovecot sql/ldap backends properly (resolved in edit 21/03/2016) # * Removed the 'no auth attempts' log lines from the matches because produces # lots of false positives on misconfigured MTAs making regexp unusable # # Author: Martin Waschbuesch # Daniel Black (rewrote with begin and end anchors) # Martin O'Neal (added LDAP authentication failure regex) # Sergey G. Brester aka sebres (reviewed, optimized, IPv6-compatibility)