I’m having similar issues to what was mentioned here:
https://www.spinics.net/lists/fail2ban/msg01443.html
<https://www.spinics.net/lists/fail2ban/msg01443.html>. Is the Wiki at
https://www.fail2ban.org/wiki/index.php/Dovecot
<https://www.fail2ban.org/wiki/index.php/Dovecot>
out of date? Seems similar to https://github.com/fail2ban/fail2ban/issues/2130
<https://github.com/fail2ban/fail2ban/issues/2130> as well
2019-02-21 11:53:48,641 fail2ban.jail [21833]: INFO Jail
'dovecot-pop3imap' uses pyinotify {}
2019-02-21 11:53:48,649 fail2ban.jail [21833]: INFO Initiated
'pyinotify' backend
2019-02-21 11:53:48,651 fail2ban.filter [21833]: ERROR No failure-id
group in '(?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login
\(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth
failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*'
2019-02-21 11:53:48,651 fail2ban.transmitter [21833]: WARNING Command
['set', 'dovecot-pop3imap', 'addfailregex', '(?: pop3-login|imap-login):
.*(?:Authentication failure|Aborted login \\(auth failed|Aborted login \\(tried
to use disabled|Disconnected \\(auth failed|Aborted login \\(\\d+
authentication attempts).*rip=(?P<host>\\S*),.*'] has failed. Received
RegexException("No failure-id group in '(?: pop3-login|imap-login):
.*(?:Authentication failure|Aborted login \\(auth failed|Aborted login \\(tried
to use disabled|Disconnected \\(auth failed|Aborted login \\(\\d+
authentication attempts).*rip=(?P<host>\\S*),.*'")
2019-02-21 11:53:48,652 fail2ban [21833]: ERROR NOK: ("No
failure-id group in '(?: pop3-login|imap-login): .*(?:Authentication
failure|Aborted login \\(auth failed|Aborted login \\(tried to use
disabled|Disconnected \\(auth failed|Aborted login \\(\\d+ authentication
attempts).*rip=(?P<host>\\S*),.*'",)
fail2ban-regex -v /var/log/dovecot.log
/etc/fail2ban/filter.d/dovecot-pop3imap.conf
Running tests
=============
Use failregex filter file : dovecot-pop3imap, basedir: /etc/fail2ban
ERROR: No failure-id group in '(?: pop3-login|imap-login): .*(?:Authentication
failure|Aborted login \(auth failed|Aborted login \(tried to use
disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication
attempts).*rip=(?P<host>\S*),.*'
[root@dsm ~]
cat /etc/fail2ban/filter.d/dovecot-pop3imap.conf
[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted
login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth
failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
