Hi, I've installed latest ISPConfig 2 on fedora 15 with perfect setup. In ISPC I've turned off firewall. Trying to configure fail2ban to block failed logins to dovecot server. dovecot.conf in filter.d folder: [Definition] failregex = (?: pop3-login|imap_login ): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(auth failed|Disconnected).*rip=(<HOST>),.* ignoreregex = dovecot part in jail.conf [dovecot-pop3imap] enabled = true filter = dovecot action = iptables-multiport[name=dovecot-pop3imap, port="110,143,995,993,25,465,587"] logpath = /var/log/maillog maxretry = 5 findtime = 600 bantime = 3600 Ssh failed attempts are blocked, but dovecot not. I've stucked. What could be wrong? If I run fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/dovecot.conf: Running tests ============= Use regex file : /etc/fail2ban/filter.d/dovecot.conf Use log file : /var/log/maillog Results ======= Failregex |- Regular expressions: | [1] (?: pop3-login|imap_login ): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(auth failed|Disconnected).*rip=(<HOST>),.* | `- Number of matches: [1] 22528 match(es) Ignoreregex |- Regular expressions: | `- Number of matches: Summary ======= Addresses found: [1] 173.192.142.34 (Sun Apr 08 06:58:42 2012) 173.192.142.34 (Sun Apr 08 06:58:42 2012) 173.192.142.34 (Sun Apr 08 06:58:42 2012) 173.192.142.34 (Sun Apr 08 06:58:47 2012) 173.192.142.34 (Sun Apr 08 06:58:47 2012) 173.192.142.34 (Sun Apr 08 06:58:47 2012) 173.192.142.34 (Sun Apr 08 06:58:52 2012) 210.26.5.2 (Thu Apr 12 18:27:40 2012) 210.26.5.2 (Thu Apr 12 18:27:52 2012) 210.26.5.2 (Thu Apr 12 18:27:52 2012) 210.26.5.2 (Thu Apr 12 18:30:40 2012) 210.26.5.2 (Thu Apr 12 18:30:52 2012) 210.26.5.2 (Thu Apr 12 18:30:52 2012) Date template hits: 63317 hit(s): MONTH Day Hour:Minute:Second 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second 0 hit(s): Year/Month/Day Hour:Minute:Second 0 hit(s): Day/Month/Year Hour:Minute:Second 0 hit(s): Day/MONTH/Year:Hour:Minute:Second 0 hit(s): Month/Day/Year:Hour:Minute:Second 0 hit(s): Year-Month-Day Hour:Minute:Second 0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond] 0 hit(s): Day-Month-Year Hour:Minute:Second 0 hit(s): TAI64N 0 hit(s): Epoch 0 hit(s): ISO 8601 0 hit(s): Hour:Minute:Second 0 hit(s): <Month/Day/Year@Hour:Minute:Second> Success, the total number of match is 22528 However, look at the above section 'Running tests' which could contain important information.
Yes, I've restarted fail2ban. SSH rule works and proftpd too. Log: Apr 8 07:11:17 fed dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<gopher>, method=PLAIN, rip=173.192.142.34, lip=x.x.x..83 Apr 8 07:11:21 fed dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<root>, method=PLAIN, rip=173.192.142.34, lip=x.x.x..82 Apr 8 07:11:21 fed dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<root>, method=PLAIN, rip=173.192.142.34, lip=x.x.x..81 Apr 8 07:11:21 fed dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<root>, method=PLAIN, rip=173.192.142.34, lip=x.x.x..83 Apr 8 07:11:25 fed dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<root>, method=PLAIN, rip=173.192.142.34, lip=x.x.x..81 Apr 8 07:11:25 fed dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<root>, method=PLAIN, rip=173.192.142.34, lip=x.x.x..82 Apr 8 07:11:25 fed dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<root>, method=PLAIN, rip=173.192.142.34, lip=x.x.x..83 Apr 8 07:11:29 fed dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<root>, method=PLAIN, rip=173.192.142.34, lip=x.x.x..81 Apr 8 07:11:29 fed dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<root>, method=PLAIN, rip=173.192.142.34, lip=x.x.x..82 Apr 8 07:11:29 fed dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<root>, method=PLAIN, rip=173.192.142.34, lip=x.x.x..83 Apr 8 07:11:33 fed dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<root>, method=PLAIN, rip=173.192.142.34, lip=x.x.x..83 Apr 8 07:11:33 fed dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<root>, method=PLAIN, rip=173.192.142.34, lip=x.x.x..81
