fail2ban setup centos 7 not picking auth fail?

Voytek Eymont voytek at sbt.net.au
Fri May 22 11:50:48 EEST 2020 

On Fri, May 22, 2020 4:01 pm, Adi Pircalabu wrote:

>> Results
>> =======
>>
>>
>> Failregex: 5149 total
>>
> [...]
>
>>
>> Lines: 338975 lines, 0 ignored, 5149 matched, 333826 missed
>> [processed in 87.44 sec]
>>
>
> Right, so it's not a regex problem then, you're getting some matches
> there, although you might want to revisit it it the result is not
> consistent with your own searches. It might be that Dovecot isn't logging
> to systemd' journal, or the regex doesn't match the journal entries. Try
> to comment out "journalmatch = _SYSTEMD_UNIT=dovecot.service" entry in
> your filter file, restart f2b and see if there's any change. P.S. Let's try
> and keep the replies to the list :)

Adi,

this is what I got, lot faster as well


Running tests
=============

Use   failregex filter file : dovecot, basedir: /etc/fail2ban
Use      datepattern : Default Detectors
Use         log file : /var/log/dovecot.log
Use         encoding : UTF-8


Results
=======

Failregex: 5177 total
|-  #) [# of hits] regular expression
|   2) [5177]
^(?:\[\])?\s*(?:<[^.]+\.[^.]+>\s+)?(?:\S+\s+)?(?:kernel:\s?\[
*\d+\.\d+\]:?\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?\S*(?:\(\S+\))?[\]\)]?:?|[\[\(]?\S*(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID
\d+ \S+\]\s+)?(?:pop3|imap)-login: (?:Info: )?(?:Aborted
login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts( in
\d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):(
user=<[^>]+>,)?( method=\S+,)? rip=<HOST>(?:, lip=\S+)?(?:, TLS(?:
handshaking(?:: SSL_accept\(\) failed: error:[\dA-F]+:SSL
routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(:
Disconnected)?)?(, session=<\S+>)?\s*$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [343387] {^LN-BEG}(?:DAY )?MON Day
%k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-

Lines: 343387 lines, 0 ignored, 5177 matched, 338210 missed
[processed in 85.97 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all
338210 lines

More information about the dovecot mailing list