Rev 5 | Go to most recent revision | Blame | Compare with Previous | Last modification | View Log | RSS feed
# Fail2Ban filter Dovecot authentication and pop3/imap server#[INCLUDES]before = common.conf[Definition]_daemon = (auth|dovecot(-auth)?|auth-worker)failregex = ^%(__prefix_line)s(pam_unix(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>, lip=(\d{1,3}\.){3}\d{1,3}(, session=<\w+>)?(, TLS( handshaking)?(: Disconnected)?)?\s*$^%(__prefix_line)s(Info|dovecot: auth\(default\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$ignoreregex =# DEV Notes:# * the first regex is essentially a copy of pam-generic.conf# * Probably doesn't do dovecot sql/ldap backends properly## Author: Martin Waschbuesch# Daniel Black (rewrote with begin and end anchors)