On Mon, 12 Aug 2013 22:50:15 +0200
Aldo Reset <a...@placenet.org> wrote:
> hi
>
> dovecot filter for fail2ban do not match:
>
> dovecot: pop3-login: Aborted login (tried to use disallowed plaintext auth):
> user=<>, rip=67
>
> dovecot filter:
> failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted
> login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth
> failed).*rip=(?P<host>\S*),.*
>
>
> bst regards.
>
>
Hi,
it would be better to send this kind of report to fail2ban mailing list.
This regex should catch your log:
failregex = .*(?:pop3-login|imap-login):.*(?:Authentication failure|Aborted
login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth
failed|Aborted login \(tried to use disallowed plaintext
auth).*\s+rip=(?P<host>\S*),.*
pam.*dovecot.*(?:authentication
failure).*\s+rhost=<HOST>(?:\s+user=.*)?\s*$
Regards
--
Laurent Papier
