[Dovecot] Fail2Ban and the Dovecot log
Hi,
Is there any way to disable the "dovecot: " at the beginning of each line of the log? Fail2Ban responds poorly to it. I know there are a number of sites with "failregex" strings for Fail2Ban and Dovecot, but I've tried them all, and they don't work, at least with the latest Fail2ban and the latest Dovecot. The Fail2Ban wiki is pretty clear about why there will be a problem:
"In order for a log line to match your failregex, it actually has to match in two parts: the beginning of the line has to match a timestamp pattern or regex, and the remainder of the line has to match your failregex.".
So in other words, Fail2Ban expects that each line of the log will start with a timestamp.
Thanks all! Dovecot rocks.
-------- Original-Nachricht --------
Datum: Mon, 11 May 2009 15:56:45 -0400 Von: Lou Duchez <lou@paprikash.com> An: dovecot@dovecot.org Betreff: [Dovecot] Fail2Ban and the Dovecot log
Hi,
Hello
Is there any way to disable the "dovecot: " at the beginning of each line of the log? Fail2Ban responds poorly to it. I know there are a number of sites with "failregex" strings for Fail2Ban and Dovecot, but I've tried them all, and they don't work, at least with the latest Fail2ban and the latest Dovecot. The Fail2Ban wiki is pretty clear about why there will be a problem:
"In order for a log line to match your failregex, it actually has to match in two parts: the beginning of the line has to match a timestamp pattern or regex, and the remainder of the line has to match your failregex.".
So in other words, Fail2Ban expects that each line of the log will start with a timestamp.
Could you attach a example log and tell us what you would like to match in that log.
Thanks all! Dovecot rocks.
-- Neu: GMX FreeDSL Komplettanschluss mit DSL 6.000 Flatrate + Telefonanschluss für nur 17,95 Euro/mtl.!* http://dslspecial.gmx.de/freedsl-surfflat/?ac=OM.AD.PD003K11308T4569a
Lou Duchez wrote:
Is there any way to disable the "dovecot: " at the beginning of each line of the log? Fail2Ban responds poorly to it. I know there are a number of sites with "failregex" strings for Fail2Ban and Dovecot, but I've tried them all, and they don't work, at least with the latest Fail2ban and the latest Dovecot. The Fail2Ban wiki is pretty clear about why there will be a problem:
"In order for a log line to match your failregex, it actually has to match in two parts: the beginning of the line has to match a timestamp pattern or regex, and the remainder of the line has to match your failregex.".
So in other words, Fail2Ban expects that each line of the log will start with a timestamp.
Hmmm, I'm using:
dovecot --version 1.2.rc3
rpm -q fail2ban fail2ban-0.8.3-18.fc10.noarch
and this seems to work just fine for me:
failregex = auth.*passwd.*,<HOST>\).*(unknown user|Password mismatch)
in my /etc/fail2ban/filter.d/dovecot.conf.
Bill
Bill Landry wrote:
Lou Duchez wrote:
Is there any way to disable the "dovecot: " at the beginning of each line of the log? Fail2Ban responds poorly to it. I know there are a number of sites with "failregex" strings for Fail2Ban and Dovecot, but I've tried them all, and they don't work, at least with the latest Fail2ban and the latest Dovecot. The Fail2Ban wiki is pretty clear about why there will be a problem:
"In order for a log line to match your failregex, it actually has to match in two parts: the beginning of the line has to match a timestamp pattern or regex, and the remainder of the line has to match your failregex.".
So in other words, Fail2Ban expects that each line of the log will start with a timestamp.
Hmmm, I'm using:
dovecot --version 1.2.rc3
rpm -q fail2ban fail2ban-0.8.3-18.fc10.noarch
and this seems to work just fine for me:
failregex = auth.*passwd.*,<HOST>\).*(unknown user|Password mismatch)
in my /etc/fail2ban/filter.d/dovecot.conf.
Oh, and you can test this with:
fail2ban-regex /path/to/dovecot.log "auth.*passwd.*,<HOST>\).*(unknown user|Password mismatch)"
Adjust the path in the string above to point to your dovecot.log file.
Bill
On Mon, 11 May 2009 15:56:45 -0400 Lou Duchez <lou@paprikash.com> wrote:
Hi,
Is there any way to disable the "dovecot: " at the beginning of each line of the log? Fail2Ban responds poorly to it. I know there are a number of sites with "failregex" strings for Fail2Ban and Dovecot, but I've tried them all, and they don't work, at least with the latest Fail2ban and the latest Dovecot. The Fail2Ban wiki is pretty clear about why there will be a problem:
"In order for a log line to match your failregex, it actually has to match in two parts: the beginning of the line has to match a timestamp pattern or regex, and the remainder of the line has to match your failregex.".
So in other words, Fail2Ban expects that each line of the log will start with a timestamp.
Thanks all! Dovecot rocks.
Well, this is not completely true... I have a working fail2ban config using the dovecot log file, not syslog, and it's working fine... I had to change the date format for the log file, but after doing that, the fail2ban works as it should...
BTJ
participants (4)
-
Bill Landry
-
Bjørn T Johansen
-
Lou Duchez
-
Steve