# HG changeset patch
# User Carl Byington <carl@five-ten-sg.com>
# Date 1450557931 28800
# Node ID d179292293ebff38e90df073503bc90d48492fb3
# Parent  f17e6599b82c507c0b29510f2662346bded19803
fix default config dovecot regular expressions; add manual blocking expression

diff -r f17e6599b82c -r d179292293eb syslog2iptables.conf.top
--- a/syslog2iptables.conf.top	Sat Dec 19 11:12:08 2015 -0800
+++ b/syslog2iptables.conf.top	Sat Dec 19 12:45:31 2015 -0800
@@ -14,6 +14,11 @@
             bucket -5000;
             message "manual unblock";
         };
+        pattern "manual block (.*)" {
+            index 1;    // zero based
+            bucket 5000;
+            message "manual block";
+        };
         pattern "sshd.*Failed password .* from ::ffff:(.*) port" {
             index 1;    // zero based
             bucket 400;
@@ -90,7 +95,12 @@
             bucket 100;
             message "dovecot failed password";
         };
-        pattern "dovecot.*Login: .* rip=(.*), lip=" {
+        pattern "dovecot.*Disconnected: Inactivity .auth failed.* rip=(.*), lip=" {
+            index 1;    // zero based
+            bucket 100;
+            message "dovecot failed password";
+        };
+        pattern "dovecot.*Login: user=.* rip=(.*), lip=" {
             index 1;    // zero based
             bucket -5000;
             message "dovecot good authentication";