0

Am trying to write a fail2ban regex that catches anyone who tries the user-id "administrador". For example, this log entry:

Jan  2 09:55:01 mail2 dovecot: pop3-login: Disconnected: user=<administrador>, method=PLAIN, rip=::ffff:201.130.1.218

Here's the regex I have so far:

failregex = (?: pop3-login|imap-login): .*(?:Disconnected: user=\<administrador\>).*rip=(?P<host>\S*),.*

It doesn't catch the log entry above because the syntax is wrong. Can anyone help?

ane
  • 171
  • 1
  • 4
  • 16
  • The way I usually use to write regex is to start with a very simple one and then improve it gradually to get a perfect one. Otherwise, you will find it too difficult to debug the problem. – Khaled Jan 04 '12 at 20:27

2 Answers2

1

Your pattern starts with "pop3" or "imap"... The log entry starts with a date.

failregex = .*(pop3-login|imap-login).*administrator.*rip=<HOST>

Should work (though I haven't tested it)

Also found this Fail2Ban entry on the DovecotWiki.

Chris S
  • 77,945
  • 11
  • 124
  • 216
  • Thanks, but I tested that regex and it doesn't catch the desired entry. The date part of the log seems to be processed separately from the regex in fail2ban, so we don't need to include the .* at the beginning. Am guessing the syntax problem might start around the remote ip (rip) area ... – ane Jan 04 '12 at 19:39
1

Experimented further and was able to create a working one. The problem was around the remote ip (rip) section. Here's what worked:

failregex = (?: pop3-login|imap-login): .*(?:Disconnected: user=\<administrador\>).*rip=.*ffff\:(<HOST>).*

It might not be very efficient though. Any suggestions to improve it are still welcome.

ane
  • 171
  • 1
  • 4
  • 16