Re: [Fail2ban-users] Dovecot RegEx

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On 19/09/13 08:28, Daniel Black wrote:
> On 18/09/13 00:20, Bob Cohen wrote:
>> Hi Folks,
>>
>> I periodically get these dictionary attacks on my dovecot mail server:
>>
>> dovecot: auth(default): pam(account@MYSERVERNAME.com,200.76.17.206): pam_authenticate() failed: User not known to the underlying authentication module: 2 Time(s)
>>
>> My regex does not seem to catch these pesky intrusions:
>>
>> [Definition]
>> failregex = dovecot.*auth\(default\): pam\(.*,<HOST>\): pam_authenticate\(\) failed:
>> ignoreregex =
>>
>> Suggestions?
> 
> I've redone the regex in accordance with recommended practice in in the
> DEVELOP documentation.
> 
> https://github.com/grooverdan/fail2ban/commit/89e0520675ad822ab6935ade97554e8fd338e2c4
> 
> Does this match all of the entries you need to match?
> 
> If it doesn't can you provide some more log examples.
> 

Bob, Any feedback on the above?