Shadow-Here
Server : Apache
System : Linux methusalix2 3.16.0-11-amd64 #1 SMP Debian 3.16.84-1 (2020-06-09) x86_64
User : hios ( 1437)
PHP Version : 5.6.40-0+deb8u12
Disable Function : proc_close,proc_open,dl,shell_exec,passthru
Directory :  /etc/fail2ban/filter.d/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Command :
Current File : //etc/fail2ban/filter.d/dovecot.conf
# Fail2Ban filter Dovecot authentication and pop3/imap server
#

[INCLUDES]

before = common.conf

[Definition]

_daemon = (auth|dovecot(-auth)?|auth-worker)

failregex = ^%(__prefix_line)s(pam_unix(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$
            ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>(, lip=(\d{1,3}\.){3}\d{1,3})?(, TLS( handshaking(: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$
            ^%(__prefix_line)s(Info|dovecot: auth\(default\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$

ignoreregex = 

# DEV Notes:
# * the first regex is essentially a copy of pam-generic.conf
# * Probably doesn't do dovecot sql/ldap backends properly
# * Removed the 'no auth attempts' log lines from the matches because produces
#    lots of false positives on misconfigured MTAs making regexp unuseable
#
# Author: Martin Waschbuesch
#         Daniel Black (rewrote with begin and end anchors)

Samx