Lou Duchez wrote: > Is there any way to disable the "dovecot: " at the beginning of each > line of the log? Fail2Ban responds poorly to it. I know there are a > number of sites with "failregex" strings for Fail2Ban and Dovecot, but > I've tried them all, and they don't work, at least with the latest > Fail2ban and the latest Dovecot. The Fail2Ban wiki is pretty clear > about why there will be a problem: > > "In order for a log line to match your failregex, it actually has to > match in two parts: the beginning of the line has to match a timestamp > pattern or regex, and the remainder of the line has to match your > failregex.". > > So in other words, Fail2Ban expects that each line of the log will start > with a timestamp.
Hmmm, I'm using: dovecot --version 1.2.rc3 rpm -q fail2ban fail2ban-0.8.3-18.fc10.noarch and this seems to work just fine for me: failregex = auth.*passwd.*,<HOST>\).*(unknown user|Password mismatch) in my /etc/fail2ban/filter.d/dovecot.conf. Bill
