search for: journalmatch

On Fri, May 22, 2020 2:05 pm, Adi Pircalabu wrote: > On 22-05-2020 10:38, Voytek Eymont wrote: > > Hardly a Dovecot issue. Can you please post the output of this command? > /usr/bin/fail2ban-regex /var/log/dovecot.log > /etc/fail2ban/filter.d/dovecot.conf Adi, thanks, what I get is: # /usr/bin/fail2ban-regex /var/log/dovecot.log /etc/fail2ban/filter.d/dovecot.conf Running

...gex problem then, you're getting some matches there, although you might want to revisit it it the result is not consistent with your own searches. It might be that Dovecot isn't logging to systemd' journal, or the regex doesn't match the journal entries. Try to comment out "journalmatch = _SYSTEMD_UNIT=dovecot.service" entry in your filter file, restart f2b and see if there's any change. P.S. Let's try and keep the replies to the list :) -- Adi Pircalabu

In https://wiki.dovecot.org/HowTo/Fail2Ban, for a current (I know for a fact in 2.2.36) I believe it should be filter = dovecot instead of filter = dovecot-pop3imap [root at mail ~]# ls -l /etc/fail2ban/filter.d/doveco* -rw-r--r-- 1 root root 1875 May 11 2017 /etc/fail2ban/filter.d/dovecot.conf [root at mail ~]#

...on failure \(password mismatch\?\))\s*$ ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): (?:pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$ ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): Info: ldap\(\S*,<HOST>,\S*\): invalid credentials\s*$ ignoreregex = [Init] journalmatch = _SYSTEMD_UNIT=dovecot.service # DEV Notes: # * the first regex is essentially a copy of pam-generic.conf # * Probably doesn't do dovecot sql/ldap backends properly (resolved in edit 21/03/2016) # * Removed the 'no auth attempts' log lines from the matches because produces # lots o...

...a regex problem then, you're getting some matches there, although you might want to revisit it it the result is not consistent with your own searches. It might be that Dovecot isn't logging to systemd' journal, or the regex doesn't match the journal entries. Try to comment out "journalmatch = _SYSTEMD_UNIT=dovecot.service" entry in your filter file, restart f2b and see if there's any change. P.S. Let's try and keep the replies to the list :) -- Adi Pircalabu