ot: fail2ban dovecot setup

voytek at sbt.net.au voytek at sbt.net.au
Mon Dec 18 22:04:41 EET 2017 

On Mon, December 18, 2017 9:40 am, Bill Shirley wrote:
> Copy dovecot-pop3imap.conf to dovecot-pop3imap.local.  Edit
> dovecot-pop3imap.local and add to the failregex: dovecot:.+auth
> failed.+rip=<HOST>
>
> Then run:
> fail2ban-regex /var/log/dovecot.log
> /etc/fail2ban/filter.d/dovecot-pop3imap.local
> and see if you get any matches.

Bill, thanks for trying to help, sorry for dumb question

shouldn't '.local' be in /etc/fail2ban/ rather than /etc/fail2ban/filter.d/ ?

I've copied it to /etc/fail2ban/, as that's where my other .local is ??

and, not sure where to add, tried 3 different places, including at the
end, but, getting:

in /etc/fail2ban/
(before addition)
# cat dovecot-pop3imap.local
[Definition]
failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted
login \(auth failed|Aborted login \(tried to use disabled|Disconnected
\(auth failed).*rip=(?P<host>\S*),.*
ignoreregex =

# cat dovecot-pop3imap.local
[Definition]
failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted
login \(auth failed|Aborted login \(tried to use disabled|Disconnected
\(auth failed).*rip=(?P<host>\S*),.*,dovecot:.+auth failed.+rip=<HOST>
ignoreregex =

# fail2ban-regex /var/log/dovecot.log /etc/fail2ban/dovecot-pop3imap.local

Running tests
=============

Use   failregex file : /etc/fail2ban/dovecot-pop3imap.local
Traceback (most recent call last):
  File "/bin/fail2ban-regex", line 34, in <module>
    exec_command_line()
  File
"/usr/lib/python2.7/site-packages/fail2ban/client/fail2banregex.py",
line 598, in exec_command_line
    if not fail2banRegex.start(opts, args):
  File
"/usr/lib/python2.7/site-packages/fail2ban/client/fail2banregex.py",
line 501, in start
    if not self.readRegex(cmd_regex, 'fail'):
  File
"/usr/lib/python2.7/site-packages/fail2ban/client/fail2banregex.py",
line 322, in readRegex
    'add%sRegex' % regextype.title())(regex.getFailRegex())
  File "/usr/lib/python2.7/site-packages/fail2ban/server/filter.py", line
113, in addFailRegex
    raise e
fail2ban.server.failregex.RegexException: Unable to compile regular
expression '(?: pop3-login|imap-login): (?:Authentication failure|Aborted
login \(auth failed|Aborted login \(tried to use disabled|Disconnected
\(auth failed).*rip=(?P<host>\S*),.*,dovecot:.+auth
failed.+rip=(?:::f{4,6}:)?(?P<host>[\w\-.^_]*\w)'

More information about the dovecot mailing list