regex needed

Mar 21 13:49:24 server courierpop3login: DISCONNECTED, user=xxx, ip=[::ffff:xxx.xxx.xxx.xxx], top=0, retr=0, time=0

i need a regex for this log-entry to filter failures... can you help me?

here it is

For use with the latest blockhosts, which uses the LOG_PREFIX and HOST_IP patterns, the following will work:

    "courierpop3-Fail":
        r'{LOG_PREFIX{courierpop3login}} DISCONNECTED, user=.* ip=\[{HOST_IP}]',

Put this in the place where other similar rules are present in blockhosts.cfg
Test if it is working by looking at output from blockhosts.py --debug and look for lines that say "found failed access" and see if it is for the rule courierpop3-Fail.

great! i will test it now!

great! i will test it now! :)

does "courierpop3" use the

does "courierpop3" use the host.allow (like proftpd and sshd)?

blockhosts uses blockfile

Blockhosts uses /etc/host.allow as the blockfile, --help explains this.
courierpop3login service may log to the same log file (/var/log/secure, for example) as sshd, or it may use a different log file. Finally, courierpop3login may or may not be built with TCP_WRAPPER support, so direct use of /hosts.allow may not be possible. In which case, look at the --ipblock option of blockhosts.

thank you very much for your

thank you very much for your patience! i gave you a wrong entry for failed logins! the right one is:

---
Mar 24 12:08:38 server courierpop3login: LOGIN FAILED, ip=[::ffff:91.67.10.125]
---

for this i need a regex! the other one above is for correct disconnect and should be not banned!

the failed-entry above is in

the failed-entry above is in "/var/log/mail.err" (i use ubuntu) and there is a second entry in "/var/etc/auth.log":

---
Mar 24 12:08:42 server authdaemond.plain: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=XXX
---

which one is better to use for a regex?

my english isn't so good.

my english isn't so good. what exactly do you mean with:

"Finally, courierpop3login may or may not be built with TCP_WRAPPER support, so direct use of /hosts.allow may not be possible. In which case, look at the --ipblock option of blockhosts."?

what is the easiest way to find out, if courierpop3 can blocked via hosts.allow (like sshd and proftpd)?

use mail.err, and --ipblock-iptables

"/var/log/mail.err" is better to use, make sure to add this to the LOGFILES line in blockhosts.cfg, or with the --logfiles= option on command lie.

As for whether courierpop3 supports TCP_WRAPPERS, you'll have to look at their source code or ask on their support mail/board.

But if you can't find out, just use the --ipblock=iptables option which will block all network packets from blocked hosts, so it does not require TCP_WRAPPERS support from courierpop3.

i use "--ipblock=iptables"!

i use "--ipblock=iptables"! it means, that the problem with tcp-wrapper is not important?

can you help me with the new regex, please? :)

yes

yes, if iptables is used, no need to look for TCP_WRAPPERS support.

thanx for your great

thanx for your great support!

today the same: i ip is blocked AND under watch. the problem is, that watched ips not to be banned :(

this is the message from my mail-alert(s):

---
Blocking hosts:
79.209.106.127

Watching hosts:
79.209.106.127 count: 55 updated at: 2008-03-29 14:05:01 CET

Log messages:
blockhosts 2.3.1 started: 2008-03-29 14:05:01 CET ... loaded /etc/hosts.allow, starting counts: blocked 1, watched 1 ... loading log file /var/log/auth.log, offset: 848868 ... loading log file /var/log/mail.err, offset: 39734 ... discarding all host entries older than 2008-03-29 02:05:01 CET
Notice: count=55, blocking host: 79.209.106.127 ... final counts: blocked 1, watched 1
---