[Fail2ban-users] Fail2ban ignoring exim completely

[Dan Egli]

Hey people, I don't know what's going on with F2B lately, but it seems 
to be completely ignoring anything happing with exim. Even 
fail2ban-regex won't pick anything up, and I tried doing it with a 
direct match.

root@jupiter:~# cat fails.log
2021-01-16 18:57:53.840 fixed_login_exim4u authenticator failed for 
(localhost) [45.142.120.74] I=[209.141.58.25]:587: 535 Incorrect 
authentication data (set_id=survey2)
2021-01-16 18:58:00.172 fixed_login_exim4u authenticator failed for 
(localhost) [45.142.120.52] I=[209.141.58.25]:587: 535 Incorrect 
authentication data (set_id=ne...@newideatest.site)
2021-01-16 18:58:01.192 fixed_login_exim4u authenticator failed for 
(localhost) [45.142.120.31] I=[209.141.58.25]:587: 535 Incorrect 
authentication data (set_id=m...@newideatest.site)
2021-01-16 18:58:04.296 fixed_login_exim4u authenticator failed for 
(localhost) [45.142.120.166] I=[209.141.58.25]:587: 535 Incorrect 
authentication data (set_id=sqlserver)
2021-01-16 18:58:05.359 fixed_login_exim4u authenticator failed for 
(localhost) [45.142.120.53] I=[209.141.58.25]:587: 535 Incorrect 
authentication data (set_id=m...@newideatest.site)
2021-01-16 18:58:06.493 fixed_login_exim4u authenticator failed for 
(localhost) [45.142.120.121] I=[209.141.58.25]:587: 535 Incorrect 
authentication data (set_id=stagiaire)
root@jupiter:~# fail2ban-regex fails.log "2021-01-16 18:57:53.840 
fixed_login_exim4u authenticator failed for (localhost) <HOST>"

Running tests
=============

Use   failregex line : 2021-01-16 18:57:53.840 fixed_login_exim4u authent...
Use         log file : fails.log
Use         encoding : ISO-8859-1


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [6] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T| 
?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
`-

Lines: 6 lines, 0 ignored, 0 matched, 6 missed
[processed in 0.00 sec]

|- Missed line(s):
|  2021-01-16 18:57:53.840 fixed_login_exim4u authenticator failed for 
(localhost) [45.142.120.74] I=[209.141.58.25]:587: 535 Incorrect 
authentication data (set_id=survey2)
|  2021-01-16 18:58:00.172 fixed_login_exim4u authenticator failed for 
(localhost) [45.142.120.52] I=[209.141.58.25]:587: 535 Incorrect 
authentication data (set_id=ne...@newideatest.site)
|  2021-01-16 18:58:01.192 fixed_login_exim4u authenticator failed for 
(localhost) [45.142.120.31] I=[209.141.58.25]:587: 535 Incorrect 
authentication data (set_id=m...@newideatest.site)
|  2021-01-16 18:58:04.296 fixed_login_exim4u authenticator failed for 
(localhost) [45.142.120.166] I=[209.141.58.25]:587: 535 Incorrect 
authentication data (set_id=sqlserver)
|  2021-01-16 18:58:05.359 fixed_login_exim4u authenticator failed for 
(localhost) [45.142.120.53] I=[209.141.58.25]:587: 535 Incorrect 
authentication data (set_id=m...@newideatest.site)
|  2021-01-16 18:58:06.493 fixed_login_exim4u authenticator failed for 
(localhost) [45.142.120.121] I=[209.141.58.25]:587: 535 Incorrect 
authentication data (set_id=stagiaire)
`-
root@jupiter:~#

Note that it says all lines missed, but line #1 is an exact match. I 
also tried it without the date/time, same result:

root@jupiter:~# fail2ban-regex fails.log "fixed_login_exim4u 
authenticator failed for (localhost) <HOST>"

Running tests
=============

Use   failregex line : fixed_login_exim4u authenticator failed for (local...
Use         log file : fails.log
Use         encoding : ISO-8859-1


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [6] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T| 
?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
`-

Lines: 6 lines, 0 ignored, 0 matched, 6 missed
[processed in 0.00 sec]

|- Missed line(s):
|  2021-01-16 18:57:53.840 fixed_login_exim4u authenticator failed for 
(localhost) [45.142.120.74] I=[209.141.58.25]:587: 535 Incorrect 
authentication data (set_id=survey2)
|  2021-01-16 18:58:00.172 fixed_login_exim4u authenticator failed for 
(localhost) [45.142.120.52] I=[209.141.58.25]:587: 535 Incorrect 
authentication data (set_id=ne...@newideatest.site)
|  2021-01-16 18:58:01.192 fixed_login_exim4u authenticator failed for 
(localhost) [45.142.120.31] I=[209.141.58.25]:587: 535 Incorrect 
authentication data (set_id=m...@newideatest.site)
|  2021-01-16 18:58:04.296 fixed_login_exim4u authenticator failed for 
(localhost) [45.142.120.166] I=[209.141.58.25]:587: 535 Incorrect 
authentication data (set_id=sqlserver)
|  2021-01-16 18:58:05.359 fixed_login_exim4u authenticator failed for 
(localhost) [45.142.120.53] I=[209.141.58.25]:587: 535 Incorrect 
authentication data (set_id=m...@newideatest.site)
|  2021-01-16 18:58:06.493 fixed_login_exim4u authenticator failed for 
(localhost) [45.142.120.121] I=[209.141.58.25]:587: 535 Incorrect 
authentication data (set_id=stagiaire)
`-

It's catching people trying to break in via SSH just fine. In fact my 
recidive list is getting so big I may have to clean it out soon just to 
make sure that it's not slowing down internet processing. But no matter 
what I try, it keeps saying all lines missed in the log. Even that log 
file is a snip of the actual log that shows actual failures.

Help?

--
Dan Egli
From my Test Server



_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users