Bill Landry wrote: > Lou Duchez wrote: > >> Is there any way to disable the "dovecot: " at the beginning of each >> line of the log? Fail2Ban responds poorly to it. I know there are a >> number of sites with "failregex" strings for Fail2Ban and Dovecot, but >> I've tried them all, and they don't work, at least with the latest >> Fail2ban and the latest Dovecot. The Fail2Ban wiki is pretty clear >> about why there will be a problem: >> >> "In order for a log line to match your failregex, it actually has to >> match in two parts: the beginning of the line has to match a timestamp >> pattern or regex, and the remainder of the line has to match your >> failregex.". >> >> So in other words, Fail2Ban expects that each line of the log will start >> with a timestamp. > > Hmmm, I'm using: > > dovecot --version > 1.2.rc3 > > rpm -q fail2ban > fail2ban-0.8.3-18.fc10.noarch > > and this seems to work just fine for me: > > failregex = auth.*passwd.*,<HOST>\).*(unknown user|Password mismatch) > > in my /etc/fail2ban/filter.d/dovecot.conf.
Oh, and you can test this with: fail2ban-regex /path/to/dovecot.log "auth.*passwd.*,<HOST>\).*(unknown user|Password mismatch)" Adjust the path in the string above to point to your dovecot.log file. Bill
