On 11:59 AM, Jerrale Gayle wrote: > I have fail2ban working for EVERYTHING else except dovecot. I have tried > using my own custom regex in conjunction with the regex on the > dovecot.org site. Neither are picked up by fail2ban and I'm trying to > use an imminent attack agaist dovecot, going on now, to my advantage to > see when I get the right regexp. Here are my current ones: > > failregex = .*dovecot: (?:pop3-login|imap-login): > (?:Disconnected|Aborted login) \((?:auth failed, .* attempts|no auth > attempts)\):.*rip=<HOST>,.* <<< this is my custom
There is an extra space following "(?:Disconnected|Aborted login)" in the above. There should be only one space, not two. Note that fail2ban comes with a fail2ban-regex command for testing regexps against logs or log lines. > (?: pop3-login|imap-login): (?:Authentication > failure|Aborted login \(auth failed|Aborted login \(tried to use > disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.* <<< from > dovecot.org > .*warning:.\S*\[(?P<host>)\]: > SASL.(?:PLAIN|LOGIN).authentication failed:.* > > Here is the current attack: > > Jun 10 17:18:10 mail dovecot: pop3-login: Disconnected (auth failed, 1 > attempts): user=<rahul>, method=PLAIN, rip=113.12.82.71, lip=173.50.101.12 -- Mark Sapiro <m...@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
