Bingo! Thanks, working now
On 10/5/13, Noel Butler <noel.but...@ausics.net> wrote: > On Fri, 2013-10-04 at 15:47 +1000, Nick Edwards wrote: >> For dovecot 2.1 >> >> as per wiki2, is this still valid? noticed a problem before and saw >> it does seem to be triggering, I use: >> > > looks out dated > >> filter.d/dovecot.conf > > That'll never work, you need to change > >> [Definition] >> failregex = (?: pop3-login|imap-login): (?:Authentication > to > > failregex = (?: pop3-login|imap-login): .*(?:Authentication > ^^ > > BUT, then, with the rest of your regex, it will only partly match > because its looking for ", something" like " ,TLS" at the end which > wont appear on failed imap/pop3 logins that dont use TLS, etc, so any > failed attempts using TLs, will be found, if they are not using it, they > will be missed (most miscreants likely wont be using it anyway) > > I am NO python expert, in fact, I know less than less about python, so > you'll best need to wait for someone who knows the answer, or ask on > fail2ban list, on how you can change that to match both, by changing > the last bit to > \(auth failed).*rip=(?P<host>\S*) <some variable here to match > on ,TLS or nothing at all> > > in meantime, you could repeat your failregex, like > > failregex = (?: pop3-login|imap-login): .*(?:Authentication failure| > Aborted login \(auth failed|Aborted login \(tried to use disabled| > Disconnected \(auth failed).*rip=(?P<host>\S*),.* > (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted > login \(auth failed|Aborted login \(tried to use disabled|Disconnected > \(auth failed).*rip=(?P<host>\S*) > > > I think thats horrible, messy, yukky, but it likely might work :) at > least until you find a better answer, there are some fail2ban fanbois on > this list, but as its the weekend, you may need to be patient. > >
