On Sun, 2021-10-17 at 22:22 +0200, Tim Boneko via Fail2ban-users wrote: > Am Sonntag, dem 17.10.2021 um 13:33 -0400 schrieb Krzysztof Adamski: > > > > ... dovecot: imap-login: Disconnected (auth failed, 4 attempts in > > 53 > > secs): user=<finance@ ... > > > > What I was thinking is that "4 attempts" should be counted as 4 > > instead of as 1. > > Hello Krzysztof! > I suggest a different solution: Configure logging of dovecot. > /etc/dovecot/10-logging.conf has lots of settings to try. 1 line of > log for 4 failed attempts is a little sparse, methinks! > Cheers, > tim
That is a very good idea, so I enabled more logging in dovecot, and now I get this: Oct 17 16:33:34 mailserver dovecot: auth-worker(41189): conn unix:auth- worker (pid=41188,uid=108): auth-worker<119>: sql(orders,219.145.118.23,<tABXVZLOhpnbkXYX>): unknown user (given password: qwer1234) After looking at the regex in the dovecot.conf in the filter.d directory, I realize that my knowledge of regex is not up to the task. I'm glad that somebody has already crafted the regex and now I'm banning more IPs. Thank you, K _______________________________________________ > Fail2ban-users mailing list > Fail2ban-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fail2ban-users _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
