|
Fail2ban regex help please
I'm trying to get a working regex for Kerio Mailserver the security logs have the following
[23/May/2010 02:20:40] Failed POP3 login from 69.50.222.6, user diana@commgtonline.com. [23/May/2010 02:20:42] Failed POP3 login from 69.50.222.6, user fred@commgtonline.com. [23/May/2010 02:20:43] Failed POP3 login from 69.50.222.6, user matt@commgtonline.com. i have searched the web (google) and can't find anything for kerio. ive tried the following without success. # Fail2Ban configuration file # # Author: Cyril Jaquier # # $Revision: 510 $ # [Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>\S+) # Values: TEXT # #timeregex = \S{3}[ ]{1,2}\d{1,2} \d{2}:\d{2}:\d{2} #timepattern = %%d/%%m/%%Y %%H:%%M:%%S failregex = \[Failed POP3 login from\].*from <HOST> # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = Any help would be greatly appreciated. Thanks roger at emailstore.us |
That's odd because if I google://fail2ban +kerio then this (failregex = .* Failed (POP3|IMAP) login from <HOST>.*$) and that (failregex = POP3: Invalid password for user * Attempt from IP address \[.*:<HOST>\]) are the only two entries above this thread. Since you commented out your time regex maybe try "failregex = ^.*Failed POP3 login from <HOST>,.*$" (bit greedy) and if this doesn't work please don't say "it doesn't work" but use 'fail2ban-regex' to test.
|
| All times are GMT -5. The time now is 08:39 PM. |