fail2ban is not banning any IP even there are many failures in the secure log. all of them are
auth: pam_unix(dovecot:auth) and pam_sss(dovecot:auth):
When testing the regex with fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/dovecot.conf --print-all-matched
I see the IP addresses which should be banned.
There are some error messages in the fail2ban log: fail2ban.filter [2912]: ERROR No failure-id group in '^(?:\[\])?\s*(?:<[^.]+\.[^.]+>\s+)?(?:\S+\s+)?(?:kernel:\s?\[ *\d+\.\d+\]:?\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?\S*(?:\(\S+\))?[ \]\)]?:?|[\[\(]?\S*(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID \d+ \S+\]\s+)?(?:pop3-login|imap-login):.*(Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(tried to use disal lowed plaintext auth).*\s+rip=(?P<host>\S*),.*'
a 2nd one starting with (its verry long) 2020-03-01 08:10:04,557 fail2ban.transmitter [2912]: WARNING Command
and 3rd: 2020-03-01 08:10:04,559 fail2ban [2912]: ERROR NOK: ("No failure-id group in '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel:\\s?\\[ *\\d+\\.\\d+\\]:?\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?: \\s+[\\[\\(]?\\S*(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?\\S*(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(?:pop3-login|imap-login):.*(Authentication failure|Aborted login \\(auth failed|Aborted login \\(t ried to use disabled|Disconnected \\(tried to use disallowed plaintext auth).*\\s+rip=(?P<host>\\S*),.*'",)
Any help is appreciated
Indeed I decided to use /var/log/imap to catch bad login, but I can see that I have more matched with /var/log/secure, maybe we could consider to switch to /var/log/secure instead of /var/log/imap
I’m sorry, since I’m no developer I never used github so I realy dont know what I should do there
The command output ends with: Missed line(s): too many to print. Use --print-all-missed to print all 13446 lines
I could mail you at least some of lines of the output, they are all the same just some different IP-Adresses on the rhost. I’m not sure if I want them openly shown on here
There are many local IP’s but also a lot of others which should be banned.
they all look like this one: | Mar 3 21:31:58 home2 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=peter rhost=141.98.80.146 user=peter