my old file conf was :
failregex = ^%(__prefix_line)swarning: [-._\w]+\[\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]*={0,2})?\s*$
If you go to https://regex101.com/ you can test the regular expression on the log string :
May 10 15:57:59 mail postfix/smtpd[28617]: warning: ip43.ip-192-99-125.net[192.99.125.43]: SASL LOGIN authentication failed: Connection lost to authentication server
I corrected the error and the the configuration is :
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+:]*={0,2})?\s*$
You can leave also the first setting but it is not necessary.
Some others command to do test:
fail2ban-client ping
fail2ban-client status
fail2ban-client status dovecot
fail2ban-client status postfix-sasl
fail2ban-regex /root/software/test_fail2ban_dovecot.log /etc/fail2ban/filter.d/dovecot.conf
You can test a piece of log file with a configuration jail file using the command fail2ban-regex
1a -> no need to change rotation, read about the settings: bantime, findtime, maxretry
1b -> fail2ban reads the log which is defined in jails logpath, for the recidive jail /var/log/fail2ban.log will be used
2 -> yes it means recidve will ban ip based on the log entrys matching bantime, findtime, maxretry
3. -> such long block time should not be needed, if it is an repeating offender he will by chached up by the recidive jail
4. it depends on your system and resources, if you are worry about the amount of blocked ip´s then you can set up the jails with ipset,
read also:
Using Fail2ban to Secure Your Server – A Tutorial
Optimising your Fail2Ban filters | The Art of Web
Protection Against Brute Force Attacks (Fail2Ban)
Fail2Ban Jails Management
fail2ban-client set <jail> unbanip <ip>