On 2020-01-05 11:33 AM, Courtney Rosenthal wrote: > ^(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth > failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) > \S+ > auth|proxy dest auth failed)\):(?: user=<<F-USER>[^>]*</F-USER>>,)?(?: method= > \S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
> Jan 4 17:09:10 tasha dovecot: imap-login: Disconnected > (no auth attempts in 1 secs): user=<>, rip=70.112.73.79, > lip=172.31.34.31, session=<tb4cfFObHYZGcElP> > I admit that my regex skills are weak. Nevertheless, your filter regex seems unnecessarily complicated, even allowing for combining a match to two similar log entries. Would this work as well? ^.* Disconnected \(no auth attempts .* rip=<HOST>, .*$ ^.* Aborted \(auth failed .* rip=<HOST>, .*$ -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 Think. _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
