On Sun, 2021-10-17 at 16:54 -0400, Krzysztof Adamski wrote: > On Sun, 2021-10-17 at 22:22 +0200, Tim Boneko via Fail2ban-users > wrote: > > Am Sonntag, dem 17.10.2021 um 13:33 -0400 schrieb Krzysztof > > Adamski: > > > > > > ... dovecot: imap-login: Disconnected (auth failed, 4 attempts in > > > 53 > > > secs): user=<finance@ ... > > > > > > What I was thinking is that "4 attempts" should be counted as 4 > > > instead of as 1. > > > > Hello Krzysztof! > > I suggest a different solution: Configure logging of dovecot. > > /etc/dovecot/10-logging.conf has lots of settings to try. 1 line of > > log for 4 failed attempts is a little sparse, methinks! > > Cheers, > > tim > > That is a very good idea, so I enabled more logging in dovecot, and > now > I get this: > > Oct 17 16:33:34 mailserver dovecot: auth-worker(41189): conn > unix:auth- > worker (pid=41188,uid=108): auth-worker<119>: > sql(orders,219.145.118.23,<tABXVZLOhpnbkXYX>): unknown user (given > password: qwer1234) > > After looking at the regex in the dovecot.conf in the filter.d > directory, I realize that my knowledge of regex is not up to the > task. > > I'm glad that somebody has already crafted the regex and now I'm > banning more IPs. > > > Thank you, > K >
I was wrong, the auth-worker failures are not being used in the ban. Is there anything I can change to enable the ban on this? _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
