search for: sauth

...authentication$ >> ^%(__prefix_line)s(auth|auth-worker\(\d+\)): (pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$ >> ^%(__prefix_line)s(auth|auth-worker\(\d+\)): Info: ldap\(\S*,<HOST>,\S*\): invalid credentials\s*$ >> ^%(__prefix_line)sauth: Info: sql\(\S+,<HOST>\): (Password mismatch|unknown user)( \((SHA1 of given password: [0-9a-f]{5,40}|given password: \w*)\))?$ > ^%(__prefix_line)sauth: Info: sql\(\S+,<HOST>,\<\S+\>\): (Password mismatch|unknown user)( \((SHA1 of given password: [0-9a-f]{5,40}|gi...

...known to the underlying authentication$ ^%(__prefix_line)s(auth|auth-worker\(\d+\)): (pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$ ^%(__prefix_line)s(auth|auth-worker\(\d+\)): Info: ldap\(\S*,<HOST>,\S*\): invalid credentials\s*$ ^%(__prefix_line)sauth: Info: sql\(\S+,<HOST>\): (Password mismatch|unknown user)( \((SHA1 of given password: [0-9a-f]{5,40}|given password: \w*)\))?$ Have spent ages googling and trying different variations. Does anyone have a fail2ban regex that would work on the above Dovecot log line? (Running latest version...

...> > Added that, but it still doesn?t match: > > $ fail2ban-regex "Sep 11 15:52:49 mail dovecot[54239]: > auth-worker(10094): > sql(user at bordo.com.au,::1,L2xqieNYeM4AAAAAAAAAAAAAAAAAAAAB>): Password > mismatch (given password: 2)" > "^%(__prefix_line)sauth: Info: sql\(\S+,<HOST>,\<\S+\>\): (Password > mismatch|unknown user)( \((SHA1 of given password: [0-9a-f]{5,40}|given > password: \w*)\))?$" Your log has "auth-worker(10094): sql" whereas the fail2ban regex has ")sauth: Info: sql\(\". When you change th...

...thentication$ > ^%(__prefix_line)s(auth|auth-worker\(\d+\)): > (pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$ > ^%(__prefix_line)s(auth|auth-worker\(\d+\)): Info: > ldap\(\S*,<HOST>,\S*\): invalid credentials\s*$ > ^%(__prefix_line)sauth: Info: sql\(\S+,<HOST>\): (Password > mismatch|unknown user)( \((SHA1 of given password: [0-9a-f]{5,40}|given > password: \w*)\))?$ ^%(__prefix_line)sauth: Info: sql\(\S+,<HOST>,\<\S+\>\): (Password mismatch|unknown user)( \((SHA1 of given password: [0-9a-...

Hi folks, "somehow" similar to the thread "under some kind oof attack" started by "MJ": I have dovecot shielded by fail2ban which works fine. But since a few days I see many many IPs per day knocking on my doors with wron password and/or users. But the rate at which they are knocking is very very low. So fail2ban will never catch them. For example one IP: Jul 25