Hi Everyone, I'm new to fail2ban but I can't find a way to have a particular rule. My antispam system is always under attack by spammers that try to use it as an open relay. Now I configured it to sends syslog logs to my syslog server (that is, by the way, a firewall). I would like to have fail2ban to parse syslog message and block any ip that tries to authenticate against the antispam system. The problem is that I can't find a way to write a rule, because the syslog messages are pretty strange...
Here is a couple of them: 2018-10-29 20:51:06 Mail.Debug xxx.xxx.xx.xxx inbound/pass1: unknown[121.52.243.98] 1540842664-797818-10792-4989-1 1540842664 1540842666 RECV - - 2 83 - [-] 2018-10-29 20:56:22 Mail.Debug xxx.xxx.xx.xxx inbound/pass1: static.vnpt.vn[14.186.0.242] 1540842979-797818-10791-389-1 1540842981 1540842982 RECV - - 2 83 - [-] I would need fail2ban to parse this king of messages, and when it matches expression "RECV - - 2 83 -" it adds the ip between the [] Is there a way to do this? Many many many thanks in advance!
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
