regex.custom.pm specifc user trap
Posted: 05 Dec 2011, 19:59
Hi,
i made a regex to trap custom fail under dovecot based on specific user that will never exist on my servers
if (( $lgfile eq $config{CUSTOM3_LOG}) and ($line =~ /^\S+\s+\d+\s+\d+\:\d+\:\d+\s+[^\s\.]+\s+dovecot\:\s+pop3\-login\:\s+Disconnected\s+\((auth\s+failed)\,\s+\d+\s+attempts\)\: user\=\<(?:administrator|account|backup|bin|fax|newsletter|news|postgres|root|smtp|staff|training|user|www|web)\>\, method\=PLAIN\,\s+rip\=(\d+\.\d+\.\d+\.\d+), lip=/)) {
return ("custom Failed POP3 login from","$2","pop3d","1","0:65535","1");
}
actually it "work" because i see it in the lfd.log file but the firewall never trigger at 1 fail as it should be...
AND LF_TRIGGER is set to 0
thanks
i made a regex to trap custom fail under dovecot based on specific user that will never exist on my servers
if (( $lgfile eq $config{CUSTOM3_LOG}) and ($line =~ /^\S+\s+\d+\s+\d+\:\d+\:\d+\s+[^\s\.]+\s+dovecot\:\s+pop3\-login\:\s+Disconnected\s+\((auth\s+failed)\,\s+\d+\s+attempts\)\: user\=\<(?:administrator|account|backup|bin|fax|newsletter|news|postgres|root|smtp|staff|training|user|www|web)\>\, method\=PLAIN\,\s+rip\=(\d+\.\d+\.\d+\.\d+), lip=/)) {
return ("custom Failed POP3 login from","$2","pop3d","1","0:65535","1");
}
actually it "work" because i see it in the lfd.log file but the firewall never trigger at 1 fail as it should be...
AND LF_TRIGGER is set to 0
thanks