Failed pop3 logins not blocked

[polux]

My VPS (CentOS6 with CWP) logs failed logins in /var/log/dovecot-info.log:

May 05 15:20:13 pop3-login: Info: Disconnected (auth failed, 1 attempts): user=<webmaster@domain.tld>, method=PLAIN, rip=IP, lip=IP

but they are not blocked by CSF.

I've added this custom regex but still doesn't block them:

Code: Select all

if (($lgfile eq $config{CUSTOM3_LOG}) and ($line =~ /^\S+\s+\S+\s+\S+ pop3\-login.*auth failed.*rip\=(\S+)/))  {
		return ("Pop3 failed login",$1,"pop3failed","3","110","1");
	}

Any ideas?

[polux]

After restarting the server, the rule is working.