[Dovecot] Fail2Ban and the Dovecot log

Bill Landry bill at inetmsg.com
Mon May 11 23:11:19 EEST 2009


Bill Landry wrote:
> Lou Duchez wrote:
> 
>> Is there any way to disable the "dovecot: " at the beginning of each
>> line of the log?  Fail2Ban responds poorly to it.  I know there are a
>> number of sites with "failregex" strings for Fail2Ban and Dovecot, but
>> I've tried them all, and they don't work, at least with the latest
>> Fail2ban and the latest Dovecot.  The Fail2Ban wiki is pretty clear
>> about why there will be a problem:
>>
>> "In order for a log line to match your failregex, it actually has to
>> match in two parts: the beginning of the line has to match a timestamp
>> pattern or regex, and the remainder of the line has to match your
>> failregex.".
>>
>> So in other words, Fail2Ban expects that each line of the log will start
>> with a timestamp.
> 
> Hmmm, I'm using:
> 
> dovecot --version
> 1.2.rc3
> 
> rpm -q fail2ban
> fail2ban-0.8.3-18.fc10.noarch
> 
> and this seems to work just fine for me:
> 
>    failregex = auth.*passwd.*,<HOST>\).*(unknown user|Password mismatch)
> 
> in my /etc/fail2ban/filter.d/dovecot.conf.

Oh, and you can test this with:

fail2ban-regex /path/to/dovecot.log "auth.*passwd.*,<HOST>\).*(unknown
user|Password mismatch)"

Adjust the path in the string above to point to your dovecot.log file.

Bill


More information about the dovecot mailing list