Thanks I have already fixed this as with my reply to Noel, his suggestion works and, as with like your example which is same as Noels first, and as he correctly it seems mentions with my tests with fail2ban-regex, it only sees TLS, the deadbeats trying to brute force me, never seem to use that, so it requires what Noel suggested, a repeat without the end ,.* as well, and our OS not using pam, so wouldnt need that
thanks anyway On 10/5/13, Oscar del Rio <del...@mie.utoronto.ca> wrote: > On 04/10/2013 1:47 AM, Nick Edwards wrote: >> filter.d/dovecot.conf >> [Definition] >> failregex = (?: pop3-login|imap-login): (?:Authentication >> failure|Aborted login \(auth failed|Aborted login \(tried to use >> disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.* >> ignoreregex = > > The following is included with fail2ban 0.8.10 > > filters.d/dovecot.conf > > # Fail2Ban configuration file for dovcot > # > # Author: Martin Waschbuesch > # > # > > [Definition] > > # Option: failregex > # Notes.: regex to match the password failures messages in the logfile. > The > # host must be matched by a group named "host". The tag > "<HOST>" can > # be used for standard IP/hostname matching and is only an > alias for > # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) > # Values: TEXT > # > failregex = .*(?:pop3-login|imap-login):.*(?:Authentication > failure|Aborted login \(auth failed|Aborted login \(tried to use > disabled|Disconnected \(auth failed).*\s+rip=(?P<host>\S*),.* > pam.*dovecot.*(?:authentication > failure).*\s+rhost=<HOST>(?:\s+user=.*)?\s*$ > > # Option: ignoreregex > # Notes.: regex to ignore. If this regex matches, the line is ignored. > # Values: TEXT > # > ignoreregex = > >