Hi all,
I'm setting up a new CentOS 7 server with f2b 0.9.7 (from EPEL) and I'm
having trouble with one of my sendmail rules. I set up a custom rule to ban
servers that fail SMTP AUTH and then hang up... while I would normally want to
ban these guys using the PAM failure, unfortunately the current cyrus-sasl
implementation means that saslauthd doesn't log the remote host, or send the
rhost info to PAM to log... so this is (right now) the only way to do it.
Unfortunately, although my filter matches just fine using fail2ban-regex, the
server is never triggering that filter.
The filter is sendmail-noauth.conf, as follows:
failregex = ^%(__prefix_line)s\w{14}: (\S+ )?\[<HOST>\]( \(may be forged\))?
did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA$
It's enabled in jail.local as follows, with default maxretry = 3, findtime =
600, bantime = 600:
[sendmail-noauth]
enabled = true
port = submission,465,smtp
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
This is on CentOS 7, so I'm loading paths_fedora.conf which has syslog_mail =
/var/log/maillog and syslog_backend = systemd. Default action is mwl so I get
the email notification.
/var/log/maillog has hundreds of lines from the same offender:
Mar 26 02:40:53 servername sm-mta[10953]: x2Q2eiHC010953: mta9.imxonlines.co.za
[91.212.150.89] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during
connection to MTA
If I MANUALLY ban the IP using fail2ban-client, the resulting email is looking
up the correct lines from the correct logfile.
So, in short: fail2ban-regex matches just fine, and manual banning shows that
the correct logfile is being read. But automated banning is not working.
This same rule works just fine on my old CentOS 5 box using f2b 0.8.14.
Can anyone help? I have no idea why it's not banning when fail2ban-regex works
fine, as does manual banning.
Thanks!
--- Amir
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
