> On 11 Sep 2017, at 5:38 pm, Christian Kivalo <ml+dove...@valo.at> wrote: > >> Many thanks Christian. >> Added that, but it still doesn’t match: >> $ fail2ban-regex "Sep 11 15:52:49 mail dovecot[54239]: auth-worker(10094): >> sql(u...@bordo.com.au,::1,L2xqieNYeM4AAAAAAAAAAAAAAAAAAAAB>): Password >> mismatch (given password: 2)" >> "^%(__prefix_line)sauth: Info: sql\(\S+,<HOST>,\<\S+\>\): (Password >> mismatch|unknown user)( \((SHA1 of given password: [0-9a-f]{5,40}|given >> password: \w*)\))?$" > Your log has "auth-worker(10094): sql" whereas the fail2ban regex has > ")sauth: Info: sql\(\". When you change that to ")sauth-worker: sql\(\" does > it work then? > > Try to reduce the regex to a working minimum and then add parts back until it > breaks…
Thanks Christian. That didn’t work either: $ fail2ban-regex "Sep 11 15:52:49 mail dovecot[54239]: auth-worker(10094): sql(u...@bordo.com.au,::1,<L2xqieNYeM4AAAAAAAAAAAAAAAAAAAAB>): Password mismatch (given password: 2)" "^%(__prefix_line)sauth-worker: sql\(\S+,<HOST>,\<\S+\>\): (Password mismatch|unknown user)( \((SHA1 of given password: [0-9a-f]{5,40}|given password: \w*)\))?$" Running tests ============= Use failregex line : ^%(__prefix_line)sauth-worker: sql\(\S+,<HOST>,\<\... Use single line : Sep 11 15:52:49 mail dovecot[54239]: auth-worker(1... Results ======= Failregex: 0 total Should there be something after “sauth-worker” for the ‘(10094)’? Will keep trying deleting stuff till it works. Thanks, James.
smime.p7s
Description: S/MIME cryptographic signature