Question Fail2ban filter courier imap fails.

[JuanCar]

Server operating system version

Centos 7

Plesk version and microupdate number

Obsidian 18.0.48

My fail2ban doesn't ban this kind of records

myserver courier-imaps: LOGIN FAILED, user=[email protected], ip=[::ffff:185.30.177.79], port=[3609]

I see that plesk-courierimap jail should ban the ip of this record.
This jail uses the filter plesk-courierlogin, which includes the regexp

failregex = ^%(__prefix_line)sLOGIN FAILED, (?:user|method)=.*, ip=\[<HOST>\]$

I think this is is not the proper regexp for this kind of records, because of the , port=[3609]
It would be something like :

failregex = ^%(__prefix_line)sLOGIN FAILED, (?:user|method)=.*, ip=\[<HOST>\].*$

With this regexp the fail2ban jail should ban both IP in these records
myserver courier-imaps: LOGIN FAILED, user=[email protected], ip=[::ffff:185.30.177.79], port=[3609]
myserver courier-imaps: LOGIN FAILED, user=[email protected], ip=[::ffff:185.30.177.77]

Am I right?

 

[Peter Debik]

The rule is not exactly false. On my test systems it yields results. But sure you can expand it as suggested. After have adapted the rule, you can test what it does using the fail2ban-regex utility, e.g. # fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/plesk-courierlogin.conf. For a new rule to take effect, reload the corresponding jail # fail2ban-client reload plesk-courierimap.