Re: [Fail2ban-users] Fail2Ban and Dovecot

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On May 29, 2011, at 8:49 PM, Ed Ravin wrote:

>   auth_verbose=yes
> 
> This tells Dovecot to log those bad password attempts.  It still won't
> stop them, but now that you've got logs to work with you can trigger
> fail2ban with a regex like this:
> 
>   failregex = dovecot.*auth.default.: .*,<HOST>.: Password mismatch
>               dovecot.*auth.default.: .*,<HOST>.: unknown user
>               dovecot.* (?:imap|pop3)-login: Aborted login: rip=<HOST>,

Ed,

Thanks.  I did as you suggested. That seemed to help for a while.  Here's the latest:

Jun  4 11:47:35 fortapache dovecot: auth(default): pam(admin,211.100.52.212): pam_authenticate() failed: User not known to the underlying authentication module
Jun  4 11:47:40 fortapache dovecot: auth(default): pam(mail,211.100.52.212): pam_authenticate() failed: Authentication failure

I never really mastered regexes. Would the following work on the above?

	dovecot.*auth.default.: .*,<HOST>.: Authentication failure

Bob