Try something like this: [Init] maxlines = 2
[Definition] failregex = "^Service [ssmtp] accepted connection from ::ffff:<HOST>%(__on_port_opt)\n.*s_connect: connect ::1:25: Connection refused (61)" Key thing is to turn on multiline support, in your case two lines and then adjust the regex, where log lines are separated by \n.* You can research topic further by googling 'fail2ban multiline regex' Denis > On 12 Apr 2019, at 02:28, James Brown <[email protected]> wrote: > > I have Stunnel receiving email submissions on ports 465 & 587. I’d like > fail2ban to block attempts where the connection is refused by the mail server. > > Eg: > > 2019.04.12 10:16:22 LOG5[4]: Service [ssmtp] accepted connection from > ::ffff:185.222.209.224:24846 > 2019.04.12 10:16:22 LOG3[4]: s_connect: connect ::1:25: Connection refused > (61) > 2019.04.12 10:16:22 LOG5[4]: s_connect: connected 127.0.0.1:25 > 2019.04.12 10:16:22 LOG5[4]: Service [ssmtp] connected remote server from > 127.0.0.1:54674 > 2019.04.12 10:16:30 LOG5[3]: Connection closed: 232 byte(s) sent to TLS, 84 > byte(s) sent to socket > 2019.04.12 10:16:30 LOG5[5]: Service [ssmtp] accepted connection from > ::ffff:193.57.40.242:62532 > 2019.04.12 10:16:31 LOG3[5]: s_connect: connect ::1:25: Connection refused > (61) > 2019.04.12 10:16:31 LOG5[5]: s_connect: connected 127.0.0.1:25 > 2019.04.12 10:16:31 LOG5[5]: Service [ssmtp] connected remote server from > 127.0.0.1:54681 > 2019.04.12 10:16:31 LOG5[4]: Connection closed: 232 byte(s) sent to TLS, 70 > byte(s) sent to socket > 2019.04.12 10:16:42 LOG5[5]: Connection closed: 190 byte(s) sent to TLS, 34 > byte(s) sent to socket > 2019.04.12 10:16:43 LOG5[6]: Service [ssmtp] accepted connection from > ::ffff:193.57.40.242:13878 > 2019.04.12 10:16:45 LOG3[6]: s_connect: connect ::1:25: Connection refused > (61) > 2019.04.12 10:16:45 LOG5[6]: s_connect: connected 127.0.0.1:25 > 2019.04.12 10:16:45 LOG5[6]: Service [ssmtp] connected remote server from > 127.0.0.1:54688 > 2019.04.12 10:16:49 LOG5[6]: Connection closed: 232 byte(s) sent to TLS, 68 > byte(s) sent to socket > > So in above example I would like fail2ban to ban 185.222.209.224 and > 193.57.40.242. Ie the IP is in the line above the ‘Connection refused’ line. > > Can someone please help we with a failregex for the stunner filter that would > do this? > > Thanks, > > James. > _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
