CasperSecurity
# Fail2Ban filter for unsuccessful solid-pop3 authentication attempts
#
# Doesn't currently provide PAM support as PAM log messages don't include rhost as
# remote IP.
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = solid-pop3d
failregex = ^%(__prefix_line)sauthentication failed: (no such user|can't map user name): .*? - <HOST>$
^%(__prefix_line)s(APOP )?authentication failed for (mapped )?user .*? - <HOST>$
^%(__prefix_line)sroot login not allowed - <HOST>$
^%(__prefix_line)scan't find APOP secret for user .*? - <HOST>$
ignoreregex =
# DEV Notes:
#
# solid-pop3d needs to be compiled with --enable-logextend to support
# IP addresses in log messages.
#
# solid-pop3d-0.15/src/main.c contains all authentication errors
# except for PAM authentication messages ( src/authenticate.c )
#
# A pam authentication failure message (note no IP for rhost).
# Nov 17 23:17:50 emf1pt2-2-35-70 solid-pop3d[17176]: pam_unix(solid-pop3d:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=jacques
#
# Authors: Daniel Black