Re: [Fail2ban-users] SASL Sendmail Auth Regex

Sun, 17 Jan 2016 15:49:36 -0800 




>
> On 17/01/2016 20:06, Ken Smith wrote:
>> Hi Fail2Ban users,
>>
>>
>> I'm trying to match lines like this on a F2Ban 0.8.4 system:-
>>
>> Jan 17 07:08:04 knettaa2 sendmail[23508]: u0H77tm0023508:
>> car-pppoe-dvz-01.wln.com.br [187.17.21.214] did not issue
>> MAIL/EXPN/VRFY/ETRN during connection to MTA
>>
>> and my amateur regex foo is completely failing me.
>>
>> Has someone done this before and be willing to share their solution.
>>
>> Many thanks
>>
>> Ken
>>

Nick Howitt wrote:
> Knowing nothing about sendmail and only based on the sendmail-reject 
> and sendmail-auth filters:
>
> ^%(__prefix_line)s\w{14}: (\S+ )?\[<HOST>\] did not issue 
> MAIL\/EXPN\/VRFY\/ETRN during connection to MTA$
>
> Test using fail2ban-regex.
>
> Nick

Thank you for the swift response Nick. That was one of the incantations 
I had tried with these results

Running tests
=============

Use regex file : sasl2.conf
Traceback (most recent call last):
   File "/usr/bin/fail2ban-regex", line 362, in ?
     if fail2banRegex.readRegex(sys.argv[2]) == False:
   File "/usr/bin/fail2ban-regex", line 176, in readRegex
     self.__failregex = [RegexStat(m)
   File "/usr/lib/python2.4/ConfigParser.py", line 525, in get
     return self._interpolate(section, option, value, d)
   File "/usr/lib/python2.4/ConfigParser.py", line 593, in _interpolate
     self._interpolate_some(option, L, rawval, section, vars, 1)
   File "/usr/lib/python2.4/ConfigParser.py", line 624, in _interpolate_some
     raise InterpolationMissingOptionError(
ConfigParser.InterpolationMissingOptionError: Bad value substitution:
     section: [Definition]
     option : failregex
     key    : __prefix_line
     rawval : \w{14}: (\S+ )?\[<HOST>\] did not issue 
MAIL\/EXPN\/VRFY\/ETRN during connection to MTA$


Whereas grep  "did not issue MAIL/EXPN" /var/log/maillog.1

gave the line in the example above.

This is on Centos 5.

Thanks

Ken

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users






















					Reply via email to