Hi, Is there any way to disable the "dovecot: " at the beginning of each line of the log? Fail2Ban responds poorly to it. I know there are a number of sites with "failregex" strings for Fail2Ban and Dovecot, but I've tried them all, and they don't work, at least with the latest Fail2ban and the latest Dovecot. The Fail2Ban wiki is pretty clear about why there will be a problem: "In order for a log line to match your failregex, it actually has to match in two parts: the beginning of the line has to match a timestamp pattern or regex, and the remainder of the line has to match your failregex.". So in other words, Fail2Ban expects that each line of the log will start with a timestamp. Thanks all! Dovecot rocks.
-------- Original-Nachricht --------> Datum: Mon, 11 May 2009 15:56:45 -0400 > Von: Lou Duchez <lou at paprikash.com> > An: dovecot at dovecot.org > Betreff: [Dovecot] Fail2Ban and the Dovecot log> Hi, >Hello> Is there any way to disable the "dovecot: " at the beginning of each > line of the log? Fail2Ban responds poorly to it. I know there are a > number of sites with "failregex" strings for Fail2Ban and Dovecot, but > I've tried them all, and they don't work, at least with the latest > Fail2ban and the latest Dovecot. The Fail2Ban wiki is pretty clear > about why there will be a problem: > > "In order for a log line to match your failregex, it actually has to > match in two parts: the beginning of the line has to match a timestamp > pattern or regex, and the remainder of the line has to match your > failregex.". > > So in other words, Fail2Ban expects that each line of the log will start > with a timestamp. >Could you attach a example log and tell us what you would like to match in that log.> Thanks all! Dovecot rocks.-- Neu: GMX FreeDSL Komplettanschluss mit DSL 6.000 Flatrate + Telefonanschluss f?r nur 17,95 Euro/mtl.!* http://dslspecial.gmx.de/freedsl-surfflat/?ac=OM.AD.PD003K11308T4569a
Lou Duchez wrote:> Is there any way to disable the "dovecot: " at the beginning of each > line of the log? Fail2Ban responds poorly to it. I know there are a > number of sites with "failregex" strings for Fail2Ban and Dovecot, but > I've tried them all, and they don't work, at least with the latest > Fail2ban and the latest Dovecot. The Fail2Ban wiki is pretty clear > about why there will be a problem: > > "In order for a log line to match your failregex, it actually has to > match in two parts: the beginning of the line has to match a timestamp > pattern or regex, and the remainder of the line has to match your > failregex.". > > So in other words, Fail2Ban expects that each line of the log will start > with a timestamp.Hmmm, I'm using: dovecot --version 1.2.rc3 rpm -q fail2ban fail2ban-0.8.3-18.fc10.noarch and this seems to work just fine for me: failregex = auth.*passwd.*,<HOST>\).*(unknown user|Password mismatch) in my /etc/fail2ban/filter.d/dovecot.conf. Bill
Re: the "dovecot: " at the beginning of the line in the log. I should mention that other applications encounter a similar issue with Fail2Ban -- for example, if you're running Asterisk, you have to alter the log format such that the timestamp is at the beginning of the line: http://www.voip-info.org/wiki/view/Fail2Ban+(with+iptables)+And+Asterisk
On Mon, 11 May 2009 15:56:45 -0400 Lou Duchez <lou at paprikash.com> wrote:> Hi, > > Is there any way to disable the "dovecot: " at the beginning of each > line of the log? Fail2Ban responds poorly to it. I know there are a > number of sites with "failregex" strings for Fail2Ban and Dovecot, but > I've tried them all, and they don't work, at least with the latest > Fail2ban and the latest Dovecot. The Fail2Ban wiki is pretty clear > about why there will be a problem: > > "In order for a log line to match your failregex, it actually has to > match in two parts: the beginning of the line has to match a timestamp > pattern or regex, and the remainder of the line has to match your > failregex.". > > So in other words, Fail2Ban expects that each line of the log will start > with a timestamp. > > Thanks all! Dovecot rocks. >Well, this is not completely true... I have a working fail2ban config using the dovecot log file, not syslog, and it's working fine... I had to change the date format for the log file, but after doing that, the fail2ban works as it should... BTJ