Hi I want to block using fail2ban for password attacks to dovecot imap server. Dovecot log files has many many lines like this; Oct 13 02:22:08 mail dovecot: auth: passwd([email protected],111.22.33.44,<4nr7gJPo6wC8OVQm>): unknown user Oct 13 02:21:57 mail dovecot: auth-worker(3447): shadow([email protected],111.222.33.44): unknown user after search the net,I found a filter but it is not working: #fail2ban-regex /root/demolog "auth.*passwd.*,<HOST>\).*(unknown user|Password mismatch)" Running tests ============= Use regex line : auth.*passwd.*,<HOST>\).*(unknown user|Password mi... Use log file : /root/demolog Unable to find a corresponding IP address for <GFWef5Po9AA+9P88> Unable to find a corresponding IP address for <8J+hf5PodwC8OSsG> Unable to find a corresponding IP address for <DpPYf5PoiwBOok8m> Unable to find a corresponding IP address for <3THgf5Po6wBeNt0h> Unable to find a corresponding IP address for <K94FgJPo8QBR1+Zm> Unable to find a corresponding IP address for <SNcSgJPo7ABVZEwj> Unable to find a corresponding IP address for <OtkugJPo1ACy71ZC> Unable to find a corresponding IP address for <53JCgJPoPwCy9Yvy> Unable to find a corresponding IP address for <sSJXgJPocQDD9CQP> Unable to find a corresponding IP address for <SwpigJPoLQC8ORxF> Unable to find a corresponding IP address for <POdsgJPoNADUnEbm> Unable to find a corresponding IP address for <X6mHgJPoSgC8OXRi> Unable to find a corresponding IP address for <4nr7gJPo6wC8OVQm> Unable to find a corresponding IP address for <VJIBgZPo7AC8OVQm> Unable to find a corresponding IP address for <hK0WgZPoZQCy71aj> Unable to find a corresponding IP address for <a9YpgZPotAC8OVt3> Unable to find a corresponding IP address for <qiEsgZPo4AC8OWLR> Results ======= Failregex |- Regular expressions: | [1] auth.*passwd.*,<HOST>\).*(unknown user|Password mismatch) | `- Number of matches: [1] 0 match(es) Ignoreregex |- Regular expressions: | `- Number of matches: Summary ======= Sorry, no match
