How about: failregex = H=<HOST> .* rejected connection
or failregex = H=<HOST> .* locally blacklisted for a bruteforce auth ? murf On Sat, Sep 5, 2020 at 2:54 AM Dan via Fail2ban-users < [email protected]> wrote: > I REALLY suck at regular expressions, so please bear with me if this is > an easy one for you. My MTA is setup to greylist sites that try brute > force AUTH attacks. That's great, but it also floods my log files when > they keep trying and the MTA keeps rejecting. I copied an example of the > log file entry below. Can someone come up with a filter that I can put > in fail2ban that would block the IP for the default time period? > > > Thanks! > > --- Dan > > 2020-09-05 00:19:56.010 H=[<HIS IP>] I=[<MY IP>]:587 rejected connection > in "connect" ACL: 45.142.120.74 locally blacklisted for a bruteforce > auth (username+password) cracking attempt > > > > > _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > -- Steve Murphy ParseTree Corporation
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
