On 6/19/2018 11:13 AM, daniel_1983--- via Fail2ban-users wrote: [snip] > A particular IP had 80 failures without getting banned. The only reason I see > is because the log lines loook like this > > Jun 19 16:52:35 messagerie-prep postfix/smtpd[8951]: warning: > 95.red-2-139-252.staticip.rima-tde.net[2.139.252.95]: SASL Login > authentication failed: UGFzc3dvcmQ6 > > Notice that login is written Login instead of LOGIN like in the filter. > > What do you suggest ?
You are right, the usual Postfix log has it all uppercase, you'll need
to edit the filter adding the variant:
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL
(?:LOGIN|Login|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [
A-Za-z0-9+/]*={0,2})?\s*$
--
René Berber
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
