fail2ban regex for smtp_auth

Question

I am NO GOOD at regex - and as such i can not seem to match the plesk mail log string that indicates a brute force smtp attack -

my log looks like this:

May 19 03:24:58 gohhllc smtp_auth[22702]: SMTP connect from mail.globaltrbilisim.com [213.144.99.201]
May 19 03:24:58 gohhllc smtp_auth[22702]: No such user 'chuong@drophit.net' in mail authorization database
May 19 03:24:58 gohhllc smtp_auth[22702]: FAILED: chuong@drophit.net - password incorrect from mail.globaltrbilisim.com [213.144.99.201]

In some cases it also looks like this

May 19 03:25:22 gohhllc smtp_auth[23056]: SMTP connect from 89-97-124-22.fweds-spc.it [89.97.124.22]
May 19 03:25:22 gohhllc smtp_auth[23056]: FAILED: element - password incorrect from 89-97-124-22.fweds-spc.it [89.97.124.22]

My regex attempts to match both username failures and password look like this

failregex = No such user '.*' in mail authorization database
FAILED: .* - password incorrect from [<HOST>]

Along with 20+ other combos with no avail - most of the time teh result is an error like this

Unable to compile regular expression 'FAILED:

Thanks

Answer 1

I worked through this and using http://www.regexr.com/ i was able to write a fairly easy regex (i guess im getting better at it) to make this work.

The resulting statement for smtp-auth when using Pleask and Qmail (atleast on my server) is

failregex = FAILED: [-/\w]+ - password incorrect from <HOST>

AS for "no such user" entries i was unable to make this work as there is no hostname in the log file for this entry and fail2ban requires the hostname :(