#50 suggestion

open
nobody
None
5
2009-07-28
2009-07-28
Anonymous
No

Hello,
thank you for the great fail2ban. I use it for ssh and i would use it for qmail multilog, but there is no "fail"-entry.

my log:
-------
if user ok:
tcpserver: status: 1/40
tcpserver: pid 29129 from 210.19.218.054
tcpserver: ok 29129 0:85.213.57.59:110 :210.19.218.054::57679
qmail-pop3d: user xxxxxxxx logged in from 210.19.218.054:57679
tcpserver: end 29129 status 256
tcpserver: status: 0/40

if bad user:
tcpserver: status: 1/40
tcpserver: pid 29137 from 210.19.218.054
tcpserver: ok 29137 0:83.243.57.69:110 :210.19.218.054::57719
tcpserver: end 29137 status 256
tcpserver: status: 0/40

My suggestion is to use failt2ban and:
if to match on "failregex"
(e.g.: tcpserver: ok)
then add "+1" to ip-counter (210.19.218.054) and
if to match on "ignoreregex (or namd you like)" (e.g.: logged in from) then subtract "-1" from ip-counter.

Is this possible? It will be very helpful for us.
best regards from germany

Discussion