hi
dovecot filter for fail2ban do not match:
dovecot: pop3-login: Aborted login (tried to use disallowed plaintext auth): user=<>, rip=67
dovecot filter: failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
bst regards.
On Mon, 12 Aug 2013 22:50:15 +0200 Aldo Reset <aldo@placenet.org> wrote:
hi
dovecot filter for fail2ban do not match:
dovecot: pop3-login: Aborted login (tried to use disallowed plaintext auth): user=<>, rip=67
dovecot filter: failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
bst regards.
Hi, it would be better to send this kind of report to fail2ban mailing list.
This regex should catch your log: failregex = .*(?:pop3-login|imap-login):.*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(tried to use disallowed plaintext auth).*\s+rip=(?P<host>\S*),.* pam.*dovecot.*(?:authentication failure).*\s+rhost=<HOST>(?:\s+user=.*)?\s*$
Regards
Laurent Papier
hi
this filter is from dovecot wiki.
bst regards.
Le 12/08/2013 23:38, Laurent Papier a écrit :
On Mon, 12 Aug 2013 22:50:15 +0200 Aldo Reset <aldo@placenet.org> wrote:
hi
dovecot filter for fail2ban do not match:
dovecot: pop3-login: Aborted login (tried to use disallowed plaintext auth): user=<>, rip=67
dovecot filter: failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
bst regards.
Hi, it would be better to send this kind of report to fail2ban mailing list.
This regex should catch your log: failregex = .*(?:pop3-login|imap-login):.*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(tried to use disallowed plaintext auth).*\s+rip=(?P<host>\S*),.* pam.*dovecot.*(?:authentication failure).*\s+rhost=<HOST>(?:\s+user=.*)?\s*$
Regards
participants (2)
-
Aldo Reset
-
Laurent Papier