From: Yaroslav H. <li...@on...> - 2010-09-17 01:40:29
|
On Thu, 16 Sep 2010, Martin Waschbuesch wrote: > I may have found something (thanks for pointing out the date inconsistency possibility): > piping /var/log/qmail/dovecot/current through tai64nlocal gives (for the last wrong attempt): > 2010-09-16 21:12:38.231499500 imap-login: Info: Aborted login (auth failed, 1 attempts): user=<ma...@wa...>, method=CRAM-MD5, rip=88.217.137.187, lip=80.254.129.240, TLS > Now, fail2ban-regex gave this: > 88.217.137.187 (Thu Sep 16 20:12:48 2010) > There's a mismatch of an hour here. hm -- could you please try running fail2ban after applying supplied patch, then enable debugging per René's instructions, imitate the attack, and observe fail2ban.log -- would there be new kind of Ignore lines? -- .-. =------------------------------ /v\ ----------------------------= Keep in touch // \\ (yoh@|www.)onerussian.com Yaroslav Halchenko /( )\ ICQ#: 60653192 Linux User ^^-^^ [175555] |