The issue:
Hi,
I'm trying to ban unsuccessful auth / login tries. There's some tutorials/howtos but it seems they are using some kind of outdated regex?
/etc/fail2ban # fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/dovecot-pop3imap.conf
Running tests
=============
Use failregex filter file : dovecot-pop3imap, basedir: /etc/fail2ban
ERROR: No failure-id group in '(?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*'
I was looking at https://wiki.dovecot.org/HowTo/Fail2Ban and also https://www.fail2ban.org/wiki/index.php/Dovecot.
The example in the 2nd page doesn't throw an error but I'm also not sure if it does what I actually want it to do.
Steps to reproduce
Create dovecot-pop3imap.conf as discribed in the dovecot wiki
Expected behavior
Banning failed login/auth tries.
Observed behavior
Regex not working.
Any additional information
I've upgraded ubuntu server yesterday and it installed a newer version of fail2ban. Since then the custom configuration no longer works.
Configuration, dump and another helpful excerpts
Any customizations done to /etc/fail2ban/ configuration
Relevant parts of /var/log/fail2ban.log file:
preferably obtained while running fail2ban with loglevel = 4
2018-05-16 14:20:09,136 fail2ban.filter [31796]: ERROR No failure-id group in '(?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*'
2018-05-16 14:20:09,136 fail2ban.transmitter [31796]: WARNING Command ['set', 'dovecot-pop3imap', 'addfailregex', '(?: pop3-login|imap-login): (?:Authentication failure|Aborted login \\(auth failed|Aborted login \\(tried to use disabled|Disconnected \\(auth failed).*rip=(?P<host>\\S*),.*'] has failed. Received Rege
xException("No failure-id group in '(?: pop3-login|imap-login): (?:Authentication failure|Aborted login \\(auth failed|Aborted login \\(tried to use disabled|Disconnected \\(auth failed).*rip=(?P<host>\\S*),.*'",)
2018-05-16 14:20:09,137 fail2ban [31796]: ERROR NOK: ("No failure-id group in '(?: pop3-login|imap-login): (?:Authentication failure|Aborted login \\(auth failed|Aborted login \\(tried to use disabled|Disconnected \\(auth failed).*rip=(?P<host>\\S*),.*'",)
Relevant lines from monitored log files in question:
The issue:
Hi,
I'm trying to ban unsuccessful auth / login tries. There's some tutorials/howtos but it seems they are using some kind of outdated regex?
I was looking at https://wiki.dovecot.org/HowTo/Fail2Ban and also https://www.fail2ban.org/wiki/index.php/Dovecot.
The example in the 2nd page doesn't throw an error but I'm also not sure if it does what I actually want it to do.
Steps to reproduce
Create dovecot-pop3imap.conf as discribed in the dovecot wiki
Expected behavior
Banning failed login/auth tries.
Observed behavior
Regex not working.
Any additional information
I've upgraded ubuntu server yesterday and it installed a newer version of fail2ban. Since then the custom configuration no longer works.
Configuration, dump and another helpful excerpts
Any customizations done to /etc/fail2ban/ configuration
Relevant parts of /var/log/fail2ban.log file:
preferably obtained while running fail2ban with
loglevel = 4Relevant lines from monitored log files in question: