Difference between revisions of "Talk:Dovecot"
From Fail2ban
Jump to navigationJump to search| Line 4: | Line 4: | ||
Here is the regex:<br> | Here is the regex:<br> | ||
dovecot.*authentication failure.*rhost\=<host><br> | dovecot.*authentication failure.*rhost\=<host><br> | ||
| − | + | <br > | |
| − | To catch lines like: | + | To catch lines like:<br> |
| − | dovecot: pop3-login: Aborted login (1 authentication attempts): user=<usrnm>, method=PLAIN, rip=192.168.2.4, lip=192.168.2.5 | + | dovecot: pop3-login: Aborted login (1 authentication attempts): user=<usrnm>, method=PLAIN, rip=192.168.2.4, lip=192.168.2.5<br> |
| − | the regexp is: | + | the regexp is:<br> |
| − | dovecot.*pop3-login.*Aborted login.*rip=<HOST>.* | + | dovecot.*pop3-login.*Aborted login.*rip=<HOST>.*<br> |
| + | <br> | ||
Revision as of 13:03, 4 September 2008
If you want to catch this:
Aug 29 19:45:13 MyHostName dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=123.123.123.123
Here is the regex:
dovecot.*authentication failure.*rhost\=<host>
To catch lines like:
dovecot: pop3-login: Aborted login (1 authentication attempts): user=<usrnm>, method=PLAIN, rip=192.168.2.4, lip=192.168.2.5
the regexp is:
dovecot.*pop3-login.*Aborted login.*rip=<HOST>.*
