Lou Duchez wrote:

Is there any way to disable the "dovecot: " at the beginning of each line of the log? Fail2Ban responds poorly to it. I know there are a number of sites with "failregex" strings for Fail2Ban and Dovecot, but I've tried them all, and they don't work, at least with the latest Fail2ban and the latest Dovecot. The Fail2Ban wiki is pretty clear about why there will be a problem:

"In order for a log line to match your failregex, it actually has to match in two parts: the beginning of the line has to match a timestamp pattern or regex, and the remainder of the line has to match your failregex.".

So in other words, Fail2Ban expects that each line of the log will start with a timestamp.

Hmmm, I'm using:

dovecot --version 1.2.rc3

rpm -q fail2ban fail2ban-0.8.3-18.fc10.noarch

and this seems to work just fine for me:

failregex = auth.*passwd.*,<HOST>\).*(unknown user|Password mismatch)

in my /etc/fail2ban/filter.d/dovecot.conf.

Bill

On Mon, 11 May 2009 15:56:45 -0400 Lou Duchez <lou@paprikash.com> wrote:

Hi,

Is there any way to disable the "dovecot: " at the beginning of each line of the log? Fail2Ban responds poorly to it. I know there are a number of sites with "failregex" strings for Fail2Ban and Dovecot, but I've tried them all, and they don't work, at least with the latest Fail2ban and the latest Dovecot. The Fail2Ban wiki is pretty clear about why there will be a problem:

"In order for a log line to match your failregex, it actually has to match in two parts: the beginning of the line has to match a timestamp pattern or regex, and the remainder of the line has to match your failregex.".

So in other words, Fail2Ban expects that each line of the log will start with a timestamp.

Thanks all! Dovecot rocks.

Well, this is not completely true... I have a working fail2ban config using the dovecot log file, not syslog, and it's working fine... I had to change the date format for the log file, but after doing that, the fail2ban works as it should...

BTJ