Unfortunately I still have no idea why this one isn't working, and would love some help ... but to add insult to injury, literally ALL the rest of my sendmail filters ARE working. It's just this one that's not.
Any help would be much appreciated. Thanks! --- Amir > On Mar 25, 2019, at 9:06 PM, Amir Caspi <[email protected]> wrote: > > One thing I should possibly also note: I'm using MailScanner, hence the > sendmail service is started via ms-sendmail rather than sendmail. That is, > I'm using /usr/lib/systemd/system/ms-sendmail.service (and the associated > ms-sendmail-in and ms-sendmail-out, which get loaded through this file), > rather than the default sendmail.service... > > I've changed the journalmatch to ms-sendmail.service but that doesn't seem to > help at all. > > Thanks in advance for assistance. > > --- Amir > >> On Mar 25, 2019, at 8:48 PM, Amir Caspi <[email protected] >> <mailto:[email protected]>> wrote: >> >> Hi all, >> >> I'm setting up a new CentOS 7 server with f2b 0.9.7 (from EPEL) and I'm >> having trouble with one of my sendmail rules. I set up a custom rule to ban >> servers that fail SMTP AUTH and then hang up... while I would normally want >> to ban these guys using the PAM failure, unfortunately the current >> cyrus-sasl implementation means that saslauthd doesn't log the remote host, >> or send the rhost info to PAM to log... so this is (right now) the only way >> to do it. >> >> Unfortunately, although my filter matches just fine using fail2ban-regex, >> the server is never triggering that filter. >> >> The filter is sendmail-noauth.conf, as follows: >> failregex = ^%(__prefix_line)s\w{14}: (\S+ )?\[<HOST>\]( \(may be forged\))? >> did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA$ >> >> It's enabled in jail.local as follows, with default maxretry = 3, findtime = >> 600, bantime = 600: >> [sendmail-noauth] >> enabled = true >> port = submission,465,smtp >> logpath = %(syslog_mail)s >> backend = %(syslog_backend)s >> >> This is on CentOS 7, so I'm loading paths_fedora.conf which has syslog_mail >> = /var/log/maillog and syslog_backend = systemd. Default action is mwl so I >> get the email notification. >> >> /var/log/maillog has hundreds of lines from the same offender: >> Mar 26 02:40:53 servername sm-mta[10953]: x2Q2eiHC010953: >> mta9.imxonlines.co.za <http://mta9.imxonlines.co.za/> [91.212.150.89] (may >> be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA >> >> If I MANUALLY ban the IP using fail2ban-client, the resulting email is >> looking up the correct lines from the correct logfile. >> >> So, in short: fail2ban-regex matches just fine, and manual banning shows >> that the correct logfile is being read. But automated banning is not >> working. >> >> This same rule works just fine on my old CentOS 5 box using f2b 0.8.14. >> >> Can anyone help? I have no idea why it's not banning when fail2ban-regex >> works fine, as does manual banning. >> >> Thanks! >> >> --- Amir >> >
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
