My regex to fail2ban for dovecot 2.0beta5 in user in sql base work like this!
failregex = dovecot: auth: sql.*,<HOST>.*: Password mismatch > dovecot: auth: sql.*,<HOST>.*: unknown user > And if you use smtp-auth in postfix truth dovecot here it is my regex for it failregex = warning:.*\[<HOST>.*: SASL login authentication failed:.* > Sorry if this is not what you want! []'sf.rique On Fri, Jun 11, 2010 at 2:00 AM, Jerrale Gayle < jerralega...@sheltoncomputers.com> wrote: > Yeah, you're wrong. With regexp, you can have fail2ban ignore any part of > the log > file, as in ANYTHING containing text around anything will be caught. You > can have fail2ban ban every ip address that shows up in the log! > > > > > On 6/10/2010 5:38 PM, fakessh wrote: > >> "hi dovecot network >> >> the principle of fail2ban is repeated for connections with the same login >> fail2ban does not work if the attack changes to login every time >> this type of attack is rather to find valid user accounts" >> >> > > I may be wrong, I hope I too am a victim of this kind of attacks >> >> > > Yeah, you're wrong. With regexp, you can have fail2ban ignore any part of >> the log >> file, as in ANYTHING containing text around anything will be caught. You >> can have fail2ban ban every ip address that shows up in the log! >> >> > > >
