[Dovecot] Fail2ban and logging

Paul van der Vlis paul at vandervlis.nl
Sun Jul 14 13:26:09 EEST 2013


Dovecot is logging authentication failures this way:
Jul 12 18:07:19 vps0 dovecot: imap-login: Disconnected (auth failed, 22
attempts in 172 secs): user=<info>, method=PLAIN, rip=,
lip=, TLS, session=<QylMqlLhVwBSX5SY>

Fail2ban is trying to catch them with this regex:
failregex = .*(?:pop3-login|imap-login):.*(?:Authentication
failure|Aborted login \(auth failed|Aborted login \(tried to use
disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*

This way fail2ban is counting 22 attempts as 1 attempt...

I expect I need to change something on the logging, so that every
attempt is seperate logged. But I don't know how.

Is here somebody who knows how to get fail2ban correct working?

No help on this on the wiki's:

With regards,
Paul van der Vlis.

Paul van der Vlis Linux systeembeheer, Groningen

More information about the dovecot mailing list