fail2ban setup centos 7 not picking auth fail?
Voytek Eymont
voytek at sbt.net.au
Fri May 22 08:45:25 EEST 2020
On Fri, May 22, 2020 2:05 pm, Adi Pircalabu wrote:
> On 22-05-2020 10:38, Voytek Eymont wrote:
>
> Hardly a Dovecot issue. Can you please post the output of this command?
> /usr/bin/fail2ban-regex /var/log/dovecot.log
> /etc/fail2ban/filter.d/dovecot.conf
Adi,
thanks, what I get is:
# /usr/bin/fail2ban-regex /var/log/dovecot.log
/etc/fail2ban/filter.d/dovecot.conf
Running tests
=============
Use failregex filter file : dovecot, basedir: /etc/fail2ban
Use datepattern : Default Detectors
Use log file : /var/log/dovecot.log
Use encoding : UTF-8
Results
=======
Failregex: 5149 total
|- #) [# of hits] regular expression
| 2) [5149]
^(?:\[\])?\s*(?:<[^.]+\.[^.]+>\s+)?(?:\S+\s+)?(?:kernel:\s?\[
*\d+\.\d+\]:?\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?\S*(?:\(\S+\))?[\]\)]?:?|[\[\(]?\S*(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID
\d+ \S+\]\s+)?(?:pop3|imap)-login: (?:Info: )?(?:Aborted
login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts( in
\d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):(
user=<[^>]+>,)?( method=\S+,)? rip=<HOST>(?:, lip=\S+)?(?:, TLS(?:
handshaking(?:: SSL_accept\(\) failed: error:[\dA-F]+:SSL
routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(:
Disconnected)?)?(, session=<\S+>)?\s*$
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [338975] {^LN-BEG}(?:DAY )?MON Day
%k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-
Lines: 338975 lines, 0 ignored, 5149 matched, 333826 missed
[processed in 87.44 sec]
Missed line(s): too many to print. Use --print-all-missed to print all
333826 lines
More information about the dovecot
mailing list