Hello all!

I am using fail2ban to help keep the bad guys away from my mail server. Well, it's been working wonderfully, but now I'm using dovecot for my imap server, and I need a bit of help.

I am using this line so far:

failregex = dovecot.*(?:authentication failure).*rhost=(?:::f{4,6}?(?P<host>\S*)

to go through the log file entry of

12:47:58 smtp dovecot-auth: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=xxx.xxx.xxx.xxx

in my auth.log file.

Where am I going wrong in my regex? I am FAR from an expert, so I imagine that my line that I have above might be full of problems. Any help is appreciated!

It might be clearer if you slapped it into code-tags, I'm not 100% sure what that smiley
is meant to be; but I'd guess the problem is the which won't match anything on that line.



Cheers,
Tink

Sorry about that. Yeah, sometimes, they'll grab code and make it look like smiley faces.


But here's the original code:

I'll try your idea out and see how well it works. Thanks for the quick reply! I appreciate it!

I just tested it, it works w/o the bit I pointed out.

What were you hoping to match with it?



Cheers,
Tink

The oddest thing, I went back, copied and pasted my code again, and it worked.

I was trying to match this:

smtp dovecot-auth: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=61.152.169.150

in my /var/log/auth.log file

The guy keeps trying to log in from various points and I'm trying to get fail2ban to read the auth log file and ban him accordingly.

Thank's for all your help!