Roundcube filter v1.1.2

[AlexanderSk]

Hello i would like to note that existing* filter did not work for my config

*https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/roundcube-auth.conf //checked 17-8-2015

I made a few testings from the logfile in /var/log/roundcubemail/userlogins with the format:
[14-Aug-2015 17:10:42 +0300]: Failed login for sdsssdsd from xxx.xxx.xxx.xxx in session gigtq175h7bi66676toau3m9n4 (error: 0)

and i came up with the Working rule:
failregex = ..Failed login for .? from .*$
PS. in the editor the rule appears ok but in the preview and in the github skips two * between .. in the start and .? in the middle.

Specs
Centos 7.1
apache 2.4
latest fail2ban via yum
Roundcube Webmail IMAP Client | Version 1.1.2

[leeclemens]

There were a few fixes made recently that may not be included in the version you are using. Can you provide the fail2ban version (fail2ban-client -V)? or try the roundcube filter config file from the master branch here on github?

[AlexanderSk]

Hello,
At the time of this post i had tested the master rule with no success. Right now i can confirm it is working :)

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
| [10] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:.Microseconds)?(?: Zone offset)?
`-
Lines: 10 lines, 0 ignored, 5 matched, 5 missed [processed in 0.00 sec]

For the record the version is:
fail2ban-client -V
Fail2Ban v0.9.2

[nleng]

For me also the regex of master-branch wasn't working with the current roundcube version 1.1.3 as the "in session" part is missing in my error messages and the syntax is different. I am now using

failregex = ^.*IMAP Error: Login failed for .*? from <HOST>.*$