Hi Nick, Here you go. domain name/users have been obfuscated.
Running tests ============= Use failregex filter file : dovecot, basedir: /etc/fail2ban Use log file : /var/log/mail.log.1 Use encoding : UTF-8 Results ======= Failregex: 11 total |- #) [# of hits] regular expression | 4) [11] dovecot:.+auth failed.+rip=<HOST> `- Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [6128] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)? `- Lines: 6128 lines, 0 ignored, 11 matched, 6117 missed [processed in 0.78 sec] |- Matched line(s): | Jul 11 20:16:48 mx10 dovecot: imap-login: Disconnected (auth failed, 2 attempts in 8 secs): us...@example.co.uk>, method=PLAIN, rip=94.109.31.39, lip=172.31.1.100, TLS, TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits) | Jul 11 20:16:52 mx10 dovecot: imap-login: Disconnected (auth failed, 2 attempts in 12 secs): us...@example.co.uk>, method=PLAIN, rip=94.109.31.39, lip=172.31.1.100, TLS, TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits) | Jul 11 20:16:52 mx10 dovecot: imap-login: Disconnected (auth failed, 2 attempts in 12 secs): us...@example.co.uk>, method=PLAIN, rip=94.109.31.39, lip=172.31.1.100, TLS, TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits) | Jul 11 20:16:52 mx10 dovecot: imap-login: Disconnected (auth failed, 2 attempts in 12 secs): us...@example.co.uk>, method=PLAIN, rip=94.109.31.39, lip=172.31.1.100, TLS, TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits) | Jul 11 20:16:52 mx10 dovecot: imap-login: Disconnected (auth failed, 2 attempts in 12 secs): us...@example.co.uk>, method=PLAIN, rip=94.109.31.39, lip=172.31.1.100, TLS, TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits) | Jul 11 20:16:52 mx10 dovecot: imap-login: Disconnected (auth failed, 2 attempts in 12 secs): us...@example.co.uk>, method=PLAIN, rip=94.109.31.39, lip=172.31.1.100, TLS, TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits) | Jul 11 20:19:26 mx10 dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): us...@example.co.uk>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured | Jul 11 20:19:57 mx10 dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): us...@example.co.uk>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured | Jul 11 20:23:21 mx10 dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): us...@example.co.uk>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured | Jul 11 20:33:53 mx10 dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): us...@example.co.uk>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured | Jul 12 00:47:33 mx10 dovecot: imap-login: Disconnected (auth failed, 1 attempts in 3 secs): ju...@example.co.uk>, method=PLAIN, rip=61.231.17.69, lip=172.31.1.100, TLS: Disconnected, TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits) `- Missed line(s): too many to print. Use --print-all-missed to print all 6117 lines > On 12 Jul 2018, at 09:50, Nick Howitt <n...@howitts.co.uk> wrote: > > Sorry. should have replied to list. > > Add --print-all-matched to the fail2ban-regex command > > On 12/07/2018 07:59, Sophie Loewenthal wrote: >> >> Morning, >> >> A new K9 Mail client gets banned all the time and I am trying to work out >> why. >> I have this regex: >> failregex = auth:.+dovecot:auth.+authentication\s+failure;.+rhost=<HOST> >> dovecot:.+rip=<HOST>.+wrong version number >> dovecot:.+tried to use disallowed plaintext auth.+rip=<HOST> >> dovecot:.+auth failed.+rip=<HOST> >> dovecot:.+no auth attemps.+rip=<HOST> >> The mail.log has lines like these. The last line spams the log several times >> a second. >> Jul 11 06:03:12 mx10 dovecot: imap-login: Login: us...@example.org>, >> method=PLAIN, rip=94.109.25.57, lip=172.31.1.100, mpid=17126, TLS, TLSv1.2 >> with cipher ECDHE-RSA-AES256-SHA (256/256 bits) >> Jul 11 06:23:07 mx10 dovecot: imap(us...@example.co.uk): Connection closed >> (IDLE running for 0.001 + waiting input for 688.172 secs, 2 B in + 10+0 B >> out, state=wait-input) in=179 out=1726 >> user2 >> So I tested the regex and had 11 hits - Unsure how to show those matched >> lines. >> # fail2ban-regex /var/log/mail.log.1 `pwd`/filter.d/dovecot.conf -r >> >> Running tests >> ============= >> >> Use failregex filter file : dovecot, basedir: /etc/fail2ban >> Use log file : /var/log/mail.log.1 >> Use encoding : UTF-8 >> >> >> Results >> ======= >> >> Failregex: 11 total >> |- #) [# of hits] regular expression >> | 4) [11] dovecot:.+auth failed.+rip=<HOST> >> `- >> >> Ignoreregex: 0 total >> >> Date template hits: >> |- [# of hits] date format >> | [6128] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)? >> `- >> >> Lines: 6128 lines, 0 ignored, 11 matched, 6117 missed >> [processed in 0.77 sec] >> >> Missed line(s): too many to print. Use --print-all-missed to print all 6117 >> lines >> For the timebeing I have set the IPs in the ignoreip regex. >> I've not seen the dovecot message "Connection closed (IDLE running for 0.001 >> + waiting input for" before. I don't know what it means, but the logs >> sometimes get spammed by it from K9 Mail. >> Has anyone seen this afore? >> Best, Sophie >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> >> >> _______________________________________________ >> Fail2ban-users mailing list >> Fail2ban-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Fail2ban-users mailing list > Fail2ban-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fail2ban-users ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users