On 10/16/2020 11:39 AM, Dan Egli wrote: > Okay. fail2ban-regex finally recognised something. The string I > searched for was: > H=(.*) <HOST> .* AUTH command used when not advertised > > I'll try plugging that into my exim.local and see how it goes > >
Now fail2ban sees it, but it refuses to ACT on it! # grep 103.154.241.29 fail2ban.log -c 113 Wait a minute, 113 times, and yet it has never banned them!? # grep "Ban 103.154.241.29" fail2ban.log -c 0 What on earth happened here? the exim.local filter has a maxtries of 5!!! Not 500! ---- [ Cut here ] --- [INCLUDES] before = exim-common.conf [Definition] failregex = <HOST> locally blacklisted for a bruteforce H=(.*) <HOST> .* AUTH command used when not advertised datepattern = %%Y-%%m-%%d %%H:%%M:%%S maxtries = 5 mdre-normal = mode = normal ignoreregex = --- [ Cut Here ] --- I did strip out comments for brevity. So, did I do something wrong or is something funky going on here? -- Dan Egli On my Test server
OpenPGP_0xF8A7B3F2AAB08F9D.asc
Description: application/pgp-keys
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
