[筆記]fail2ban 阻擋sasl登入失敗的正規化語法

一直以來都找不到fail2ban 去阻擋SASL認證失敗的語法，網路上之前看到的都是這幾篇

http://blog.xuite.net/pippeng/blog/63675336-Fail2Ban+for+Dovecot%3E

http://wiki.dovecot.org/HowTo/Fail2Ban

今天驚覺其實是我想錯了，這個應該不關dovecot的事！

應該是要找SASL認證錯誤的語法才對

不過dovecot預設的好像也有問題

所以我找到了這篇

http://www.howtoforge.com/forums/showthread.php?t=51349

發現了這個語法 >

failregex = (?i): warning: [-.\w]+[<HOST>]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed: \w

然後測試了一下 > Running tests > > ============= > > > Use regex file : /etc/fail2ban/filter.d/dovecot-pop3imap.conf > > Use log file : /var/log/maillog > > Results > > ======= > > > Failregex > > |- Regular expressions: > > | 1: warning: [-.\w]+[<HOST>]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed: \w > > | > > - Number of matches: > > [1] 450 match(es) > > > Ignoreregex > > |- Regular expressions: > > | > >- Number of matches: > > > Summary > > ======= > > > Addresses found: > > [1] > > 199.36.73.98 (Wed Oct 16 01:30:56 2013) > > >   > > > 中間省略數百筆 > > > 223.198.165.194 (Wed Oct 16 01:47:37 2013) > > > 再次省略數百筆 > > > 113.59.11.87 (Wed Oct 16 03:47:28 2013) > > > 省略數百筆 > > > 114.250.15.84 (Wed Oct 16 10:51:30 2013) > > > 省略數百筆  

接下來就放著讓fail2ban 去跑跑看囉！