[Dovecot] fail2ban
Nick Edwards
nick.z.edwards at gmail.com
Sat Oct 5 18:31:51 EEST 2013
Thanks I have already fixed this as with my reply to Noel, his suggestion works
and, as with like your example which is same as Noels first, and as he
correctly it seems mentions with my tests with fail2ban-regex, it only
sees TLS, the deadbeats trying to brute force me, never seem to use
that, so it requires what Noel suggested, a repeat without the end ,.*
as well, and our OS not using pam, so wouldnt need that
thanks anyway
On 10/5/13, Oscar del Rio <delrio at mie.utoronto.ca> wrote:
> On 04/10/2013 1:47 AM, Nick Edwards wrote:
>> filter.d/dovecot.conf
>> [Definition]
>> failregex = (?: pop3-login|imap-login): (?:Authentication
>> failure|Aborted login \(auth failed|Aborted login \(tried to use
>> disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
>> ignoreregex =
>
> The following is included with fail2ban 0.8.10
>
> filters.d/dovecot.conf
>
> # Fail2Ban configuration file for dovcot
> #
> # Author: Martin Waschbuesch
> #
> #
>
> [Definition]
>
> # Option: failregex
> # Notes.: regex to match the password failures messages in the logfile.
> The
> # host must be matched by a group named "host". The tag
> "<HOST>" can
> # be used for standard IP/hostname matching and is only an
> alias for
> # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
> # Values: TEXT
> #
> failregex = .*(?:pop3-login|imap-login):.*(?:Authentication
> failure|Aborted login \(auth failed|Aborted login \(tried to use
> disabled|Disconnected \(auth failed).*\s+rip=(?P<host>\S*),.*
> pam.*dovecot.*(?:authentication
> failure).*\s+rhost=<HOST>(?:\s+user=.*)?\s*$
>
> # Option: ignoreregex
> # Notes.: regex to ignore. If this regex matches, the line is ignored.
> # Values: TEXT
> #
> ignoreregex =
>
>
More information about the dovecot
mailing list