Yes, that works fine on my log, but I am curious why it should be restrictive?
That part of the regex is not captured stored or executed and could potentially contain any kind of output.
Once you have matched to that point, it is obviously a bad request so something from that point on should not cause a bad request not to be counted as a bad request.

- Y

On Fri, Aug 5, 2011 at 4:27 PM, Yaroslav Halchenko <> wrote:
so it is just a whitespace?  then a bit more restrictive

failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$

should work, please confirm -- I will commit

On Wed, 03 Aug 2011, Yehuda Katz wrote:
>    (?i): warning: [-._\w]+\[(?:::f{4,6}:)?(?P<host>\S+)\]: SASL
>    (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:
>    [A-Za-z0-9+/\W]*={0,2})?$
>    The new regex just allows whitespace in the final section of the line
>    to match "authentication failure".
Keep in touch                           
Yaroslav Halchenko       

BlackBerry&reg; DevCon Americas, Oct. 18-20, San Francisco, CA
The must-attend event for mobile developers. Connect with experts.
Get tools for creating Super Apps. See the latest technologies.
Sessions, hands-on labs, demos & much more. Register early & save!
Fail2ban-users mailing list