search for: l2xqienyem4aaaaaaaaaaaaaaaaaaaab

...-11 08:57, James Brown wrote: >> I have turned on 'auth_debug_passwords=yes? in dovecot.conf. >> I?m trying to get Fail2ban to detect this log line: >> Sep 11 15:52:49 mail dovecot[54239]: auth-worker(10094): sql(user at bordo.com.au <mailto:user at bordo.com.au>,::1,<L2xqieNYeM4AAAAAAAAAAAAAAAAAAAAB>): Password mismatch (given password: 2) >> I?ve added it as the last line of my dovecot filter regex: >> failregex = >> ^%(__prefix_line)s(%(__pam_auth)s(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+us...

I have turned on 'auth_debug_passwords=yes? in dovecot.conf. I?m trying to get Fail2ban to detect this log line: Sep 11 15:52:49 mail dovecot[54239]: auth-worker(10094): sql(user at bordo.com.au <mailto:user at bordo.com.au>,::1,<L2xqieNYeM4AAAAAAAAAAAAAAAAAAAAB>): Password mismatch (given password: 2) I?ve added it as the last line of my dovecot filter regex: failregex = ^%(__prefix_line)s(%(__pam_auth)s(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$...

...ames Brown wrote: > I have turned on 'auth_debug_passwords=yes? in dovecot.conf. > > I?m trying to get Fail2ban to detect this log line: > > Sep 11 15:52:49 mail dovecot[54239]: auth-worker(10094): > sql(user at bordo.com.au > <mailto:user at bordo.com.au>,::1,<L2xqieNYeM4AAAAAAAAAAAAAAAAAAAAB>): > Password mismatch (given password: 2) > > I?ve added it as the last line of my dovecot filter regex: > > failregex = > ^%(__prefix_line)s(%(__pam_auth)s(\(dovecot:auth\))?:)?\s+authentication > failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* > rhost=...

> Many thanks Christian. > > Added that, but it still doesn?t match: > > $ fail2ban-regex "Sep 11 15:52:49 mail dovecot[54239]: > auth-worker(10094): > sql(user at bordo.com.au,::1,L2xqieNYeM4AAAAAAAAAAAAAAAAAAAAB>): Password > mismatch (given password: 2)" > "^%(__prefix_line)sauth: Info: sql\(\S+,<HOST>,\<\S+\>\): (Password > mismatch|unknown user)( \((SHA1 of given password: [0-9a-f]{5,40}|given > password: \w*)\))?$" Your log has "auth-worker(10094): sql&...