Hi Doug! Sometimes late answers are better than none at all.
I don't know what version or logging you run. We run latest version of assp and standard logging and we use these two filters In fail2ban: failregex = .*\[.*?\].*?<HOST> \[SMTP Error\] 535.*? failregex = .*\[.*?\].*?<HOST> \[SMTP Error\] 504.*? They both work(and should work for you as well) and as far as I know are both valid attempts that should be counted. Regards, Pontus -----Ursprungligt meddelande----- Från: Doug Lytle [mailto:supp...@drdos.info] Skickat: den 1 juli 2018 13:31 Till: assp-test@lists.sourceforge.net Ämne: Re: [Assp-test] fail2ban ASSP filter On 07/01/2018 07:08 AM, James Brown via Assp-test wrote: > Does any have a good fail2ban filter for ASSP? > > I have this filter: > > /# Fail2Ban filter for Anti-Spam SMTP Proxy Server also known as ASSP/ I had to change the logging format in ASSP to get fail2ban to work, please modify to your environment, Doug Date/Time Format in LogDate /(LogDateFormat)/ Use this option to set the logdate. The default value is 'MMM-DD-YY hh:mm:ss'. The following (case sensitive !) replacements will be done: And then my filter is cat assp_auth_failure.conf # Fail2Ban configuration file # # Author: Viktor Ferenczi (python <at-here> cx <dot-here> hu) # [Definition] # Example: Nov-13-12 02:35:08 [Worker_5] Connected: 89.231.202.192:3500 > 10.0.0.10:587 > 10.0.0.12:25 # Nov-13-12 02:35:11 [Worker_5] 89.231.202.192 info: injected STARTTLS request to 10.0.0.12 # Nov-13-12 02:35:11 [Worker_5] [TLS-out] 89.231.202.192 info: authentication - login is used # Nov-13-12 02:35:13 [Worker_5] [TLS-out] 89.231.202.192 warning: SMTP authentication failed # Nov-13-12 02:35:13 [Worker_5] [TLS-out] 89.231.202.192 [SMTP Error] 535 5.7.8 Error: authentication failed: authentication failure failregex = \[TLS-out\] <HOST> .*?535 5.7.8 # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = ---------------------------------------------------------------------------- -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test --- Detta e-postmeddelande har sökts igenom efter virus med antivirusprogram från Avast. https://www.avast.com/antivirus ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
