Re: [Fail2ban-users] fail2ban not picking up on attacks

Sat, 26 Dec 2020 12:48:14 -0800

Sorry for the late reply. I've been really busy. I just tried fail2ban-regex and it doesn't seem to be catching it at all.  I had the datepattern in the file, except for the .%%f, which I added to no avail. Fail2ban-regex doesn't seem to see it. I don't know why since the match string was copied directly out of the log file.  In fact, GREP finds it just fine! 


root@jupiter:/var/log/exim4# grep -c 'fixed_login_exim4u authenticator 
failed for .*' fails

691

Yet pass the same regex to fail2ban-regex and it's no good:
root@jupiter:/var/log/exim4# fail2ban-regex fails exim.local.conf
root@jupiter:/var/log/exim4# fail2ban-regex fails exim.local.conf

Running tests
=============

Use   failregex filter file : exim.local, basedir: /etc/fail2ban
Use      datepattern : Year-Month-Day 24hour:Minute:Second.Microseconds
Use         log file : fails
Use         encoding : ISO-8859-1


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [691] Year-Month-Day 24hour:Minute:Second.Microseconds
`-

Lines: 691 lines, 0 ignored, 0 matched, 691 missed
[processed in 0.05 sec]


Missed line(s): too many to print.  Use --print-all-missed to print all 
691 lines


Here's the filter file:
[INCLUDES]

before = exim-common.conf

[Definition]


failregex =     fixed_login_exim4u authenticator failed for (User) <HOST> .*
                fixed_login_exim4u authenticator failed for .* <HOST>
                <HOST> locally blacklisted for a bruteforce
                H=(.*) <HOST> .* AUTH command used when not advertise#

                SMTP call from <HOST> I=[209.141.58.25]:587 dropped: oo 
many syntax or protocol errors .*
                ^.*SMTP protocol error in \"AUTH LOGIN\" .* H\=<HOST> 
.* AUTH command used when not advertised

datepattern = %%Y-%%m-%%d %%H:%%M:%%S.%%f


maxtries = 3

findtime = 4h

mode = normal

ignoreregex =







And the file fails has 691 lines like this (literally pulled at random):

2020-12-19 07:43:41.238 fixed_login_exim4u authenticator failed for 
(User) [212.70.149.70] I=[209.141.58.25]:587: 535 Incorrect 
authentication data ([email protected])



Am I doing something else wrong? Please help.

On 12/21/2020 11:15 AM, James Moe via Fail2ban-users wrote:

On 12/19/20 3:51 PM, Dan Egli wrote:


2020-12-19 22:31:14.757 fixed_login_exim4u authenticator failed for
(User) [212.70.149.70] I=[209.141.58.25]:587: 535 Incorrect


   The problem may be your data pattern. Try adding to you filter conf:
datepattern = %%Y-%%m-%%d %%H:%%M:%%S.%%f

   Have you tested your configuration with fail2ban-regex?



--
Dan Egli
From my Test Server



_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users






















					Reply via email to