HomeForumsBlockHosts

What is the correct cfg for pop3

Mon, 2013–Dec–16

I see the cfg have this rule.

"dovecot-LoginFail":
r'{LOG_PREFIX{pop3-login}} Aborted login \[{HOST_IP}]',

but it seems cannot block the ip.

My log messages is like this
pop3-login: Dec 17 06:35:41 Info: Aborted login [xxx.xxx.xxx.xxx]

how can i change the rule for using blockhosts ?

‹ syslog format with OpenSuSE 13.1 blockhosts ip routing and freebsd ›
Mon, 2013-12-16 22:15 — ac

That won't match - not a normal log?

That will not match - normal syslog/multilog etc has a date in front not after, for example, this is what it will match:

Feb 19 15:40:23 hostname pop3-login: Aborted login [::ffff:10.238.200.11]
or
Jun 24 18:41:41 hostname dovecot: pop3-login: Aborted login: user=, method=PLAIN, rip=::ffff:10.130.225.81, lip=::ffff:10.191.11.13

Maybe there is an option to dovecot to use normal log lines?

If not, then a new pattern has to be coded up for

pop3-login: Dec 17 06:35:41 Info: Aborted login [xxx.xxx.xxx.xxx]

Not tested, but something like this is needed - note adding this to blockhosts.cfg requires following all the python indenting rules):

    "dovecot-alternate":
        r'^pop3-login:  \w\w\w .?\d \d\d:\d\d:\d\d Info: Aborted login \[{HOST_IP}]',

Thu, 2013-12-19 09:04 — Anonymous (not verified)

how can i modify dovecot to use normal log lines ?

how can i modify dovecot to use normal log lines ?

Fri, 2013-12-20 08:55 — ac

Maybe dovecot changed log formats?

There may be no option to dovecot to change the log format. Not sure why it does not look like normal syslog lines, but that is always the issue with log-scrapping tools - when the log format changes, the patterns used have to change. So there may be no option other than to try a new regex for catching these lines.

Other things to check: is there some other log file that is in the expected syslog format? Example lines can be seen in the blockhosts.cfg file comments.

Fri, 2013-12-20 12:11 — Anonymous (not verified)

Have added to blockhosts.cfg

Have added to blockhosts.cfg

"dovecot-alternate":
r'^pop3-login: \w\w\w .?\d \d\d:\d\d:\d\d Info: Aborted login \[{HOST_IP}]',

But it seems cannot block the ip, is there somethings wrong?

Fri, 2013-12-20 12:40 — ac

Debugging may be required

Well, there are many things that could be wrong - the regex may not be totally correct, etc.
blockhosts.py has some debug and logging options and it can output more information. --help has some details.

And note that if you change the .cfg file it will only affect any future log line, existing log lines will not be re-read.