From: pe...@netsecpt.pt > Hi , i am having an issue with dovecot , in log files of imap inactivity > lines have the word included "auth failed" , witch is not true , what happens > next is that fail2ban is looking for that word too in log file of dovecot > ,and when it finds it it bans my public ip address . > Is there any change to change this behavior in dovecot , what i mean is to > insert "auth failed" when in fact it is an authentication failed , and not > use it as general for every thing in log file .
Putting aside the semantics that not supplying credentials before the timeout *is* an auth failure, I would think the best way to handle this is to change the pattern fail2ban triggers to be more specific about what it considers an auth failure. If this is a typical log entry you want to avoid an automatic ban dovecot: imap-login: Disconnected: Inactivity (auth failed, 1 attempts in 180 secs): user= ... I would modify /etc/fail2ban/filter.d/dovecot.conf to limit it to 0-99sec like so failregex = ...( in \d{1,2} secs)... Some BFD attempts will leak through but it avoids triggering on any inactivity >99s. Joseph Tam <jtam.h...@gmail.com> _______________________________________________ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org