Hello again. Just in case someone comes here facing the same problem I was facing I found that horde has, at least in version 5.2.22, the functionality to block a user for a number of minutes after a certain amount of failed logins so you could just go to Configuration -> Horde -> Authentication and enable this feature there.
Best regards,
David Wells.
El 11/06/2019 a las 11:59, David Wells - Alfavinil S.A. escribió:
> Thank you very much for your answer.
>
> I tried your suggestion but it doesn't work either. However I managed
> to get it to work with the following regex "HORDE: \[(horde|imp)\]
> FAILED LOGIN for \S+ to (horde|{[^}]+}) \(<HOST>\) (.*)$"
>
> Thank you very much again.
> Best regards,
> David Wells.
>
> El 11/06/2019 a las 11:25, Denis Rasulev escribió:
>> Dear David,
>>
>> Please, try this regex:
>>
>> ^HORDE: \[(horde|imp)\] FAILED LOGIN for \S+ to horde \(<HOST>\) \[.*\]$
>>
>> You can test it like this:
>>
>> fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/horde.local
>> --print-all-missed > /home/<your_username>/missed.txt
>>
>> or even like this:
>>
>> fail2ban-regex /var/log/auth.log '^HORDE: \[(horde|imp)\] FAILED
>> LOGIN for \S+ to horde \(<HOST>\) \[.*\]$' --print-all-missed >
>> /home/<your_username>/missed.txt
>>
>> Here you will find more info on how to test your regex with
>> fail2ban-regex:
>>
>> http://manpages.ubuntu.com/manpages/bionic/man1/fail2ban-regex.1.html
>>
>> Hope this helps.
>>
>> Regards,
>> Denis Rasulev
>>
>>> On 10 Jun 2019, at 18:28, David Wells - Alfavinil S.A.
>>> <dwe...@alfavinil.com <mailto:dwe...@alfavinil.com>> wrote:
>>>
>>> Good afternoon.
>>>
>>> I recently upgraded Horde webmail edition to 5.2.22 and the fail2ban
>>> regex isn't matching the log line even though I'm testing the regex with
>>> debbuex.com <http://debbuex.com> and it says it should match. I'm
>>> not very knowledgeable in
>>> regular expressions and was hoping someone here could lend me a hand.
>>>
>>> The regex I came up with is "^ HORDE: \[(horde|imp)\] FAILED LOGIN for
>>> \S+ to (horde|{[^}]+}) \(<HOST>\) (.*)$"
>>>
>>> A sample line to match is as follows " HORDE: [horde] FAILED LOGIN for
>>> username to horde (127.0.0.1) [pid 2096 on line 199 of
>>> "/var/www/horde/login.php"]"
>>>
>>> I replaced the real IP address with 127.0.0.1 for security purposes but
>>> in the log file I have a real valid IP address.
>>>
>>> Thank you very much in advance,
>>> David Wells.
>>>
>>> <dwells.vcf>_______________________________________________
>>> Fail2ban-users mailing list
>>> Fail2ban-users@lists.sourceforge.net
>>> <mailto:Fail2ban-users@lists.sourceforge.net>
>>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>>
>
>
>
>
>
> _______________________________________________
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
<<attachment: dwells.vcf>>
_______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
