> a fact in 2.2.36) I believe it should be
> filter = dovecot
> instead of
> filter = dovecot-pop3imap
> [root at mail ~]# ls -l /etc/fail2ban/filter.d/doveco*
> -rw-r--r-- 1 root root 1875 May 11 2017
I believe that?s a different jail:
diff /etc/fail2ban/filter.d/dovecot-pop3imap.conf
0a1,7> # Fail2Ban filter Dovecot authentication and pop3/imap server
> #
> before = common.conf
< failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted
login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth
failed|Aborted login \(\d+ authentication attempts).*rip=`<HOST>`
< ignoreregex --->
> _auth_worker = (?:dovecot: )?auth(?:-worker)?
> _daemon = (?:dovecot(?:-auth)?|auth)
> prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?:
)?(?:%(__pam_auth)s(?:\(dovecot:auth\))?: |(?:pop3|imap)-login: )?(?:Info:
> failregex = ^authentication failure;
logname=<F-ALT_USER1>\S*</F-ALT_USER1> uid=\S* euid=\S* tty=dovecot
> ^(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth
failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+
auth|proxy dest auth failed)\):(?:
user=<<F-USER>[^>]*</F-USER>>,)?(?: method=\S+,)?
rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
> ^pam\(\S+,<HOST>(?:,\S*)?\): pam_authenticate\(\) failed:
(?:User not known to the underlying authentication module: \d+
Time\(s\)|Authentication failure \(password mismatch\?\)|Permission denied)\s*$
> ^[a-z\-]{3,15}\(\S*,<HOST>(?:,\S*)?\): (?:unknown
user|invalid credentials|Password mismatch)\s*$
> <mdre-<mode>>
> mdre-aggressive = ^(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)?
\((?:no auth attempts|disconnected before auth was ready,|client didn't
finish \S+ auth,)(?: (?:in|waited) \d+ secs)?\):(?: user=<[^>]*>,)?(?:
method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
> mdre-normal =
> # Parameter `mode` - `normal` or `aggressive`.
> # Aggressive mode can be used to match log-entries like:
> # 'no auth attempts', 'disconnected before auth was
ready', 'client didn't finish SASL auth'.
> # Note it may produce lots of false positives on misconfigured MTAs.
> # Ex.:
> # filter = dovecot[mode=aggressive]
> mode = normal
> ignoreregex =
> journalmatch = _SYSTEMD_UNIT=dovecot.service
> datepattern = {^LN-BEG}TAI64N
> {^LN-BEG}
> # DEV Notes:
> # * the first regex is essentially a copy of pam-generic.conf
> # * Probably doesn't do dovecot sql/ldap backends properly (resolved in
edit 21/03/2016)
> #
> # Author: Martin Waschbuesch
> # Daniel Black (rewrote with begin and end anchors)
> # Martin O'Neal (added LDAP authentication failure regex)
> # Sergey G. Brester aka sebres (reviewed, optimized,
