The one thing I immediately notice, and I’m sure everyone else has well, the ones that seem to be processed properly do not have the domain portion of the input as opposed to the problematic ones which have domain set. Have you tried without domain set against nenad, mrs, myp etc etc to see if that works? Ron Sent from Mail for Windows 10 Shouldn't it be "\[<HOST>\] and not just "<HOST>"? On 17/01/2021 02:15, Dan Egli wrote: Hey people, I don't know what's going on with F2B lately, but it seems to be completely ignoring anything happing with exim. Even fail2ban-regex won't pick anything up, and I tried doing it with a direct match.
root@jupiter:~# cat fails.log
2021-01-16 18:57:53.840 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.74] I=[209.141.58.25]:587: 535 Incorrect authentication data (set_id=survey2)
2021-01-16 18:58:00.172 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.52] I=[209.141.58.25]:587: 535 Incorrect authentication data ([email protected])
2021-01-16 18:58:01.192 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.31] I=[209.141.58.25]:587: 535 Incorrect authentication data ([email protected])
2021-01-16 18:58:04.296 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.166] I=[209.141.58.25]:587: 535 Incorrect authentication data (set_id=sqlserver)
2021-01-16 18:58:05.359 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.53] I=[209.141.58.25]:587: 535 Incorrect authentication data ([email protected])
2021-01-16 18:58:06.493 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.121] I=[209.141.58.25]:587: 535 Incorrect authentication data (set_id=stagiaire)
root@jupiter:~# fail2ban-regex fails.log "2021-01-16 18:57:53.840 fixed_login_exim4u authenticator failed for (localhost) <HOST>"
Running tests
=============
Use failregex line : 2021-01-16 18:57:53.840 fixed_login_exim4u authent...
Use log file : fails.log
Use encoding : ISO-8859-1
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [6] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T| ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
`-
Lines: 6 lines, 0 ignored, 0 matched, 6 missed
[processed in 0.00 sec]
|- Missed line(s):
| 2021-01-16 18:57:53.840 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.74] I=[209.141.58.25]:587: 535 Incorrect authentication data (set_id=survey2)
| 2021-01-16 18:58:00.172 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.52] I=[209.141.58.25]:587: 535 Incorrect authentication data ([email protected])
| 2021-01-16 18:58:01.192 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.31] I=[209.141.58.25]:587: 535 Incorrect authentication data ([email protected])
| 2021-01-16 18:58:04.296 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.166] I=[209.141.58.25]:587: 535 Incorrect authentication data (set_id=sqlserver)
| 2021-01-16 18:58:05.359 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.53] I=[209.141.58.25]:587: 535 Incorrect authentication data ([email protected])
| 2021-01-16 18:58:06.493 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.121] I=[209.141.58.25]:587: 535 Incorrect authentication data (set_id=stagiaire)
`-
root@jupiter:~#
Note that it says all lines missed, but line #1 is an exact match. I also tried it without the date/time, same result:
root@jupiter:~# fail2ban-regex fails.log "fixed_login_exim4u authenticator failed for (localhost) <HOST>"
Running tests
=============
Use failregex line : fixed_login_exim4u authenticator failed for (local...
Use log file : fails.log
Use encoding : ISO-8859-1
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [6] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T| ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
`-
Lines: 6 lines, 0 ignored, 0 matched, 6 missed
[processed in 0.00 sec]
|- Missed line(s):
| 2021-01-16 18:57:53.840 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.74] I=[209.141.58.25]:587: 535 Incorrect authentication data (set_id=survey2)
| 2021-01-16 18:58:00.172 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.52] I=[209.141.58.25]:587: 535 Incorrect authentication data ([email protected])
| 2021-01-16 18:58:01.192 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.31] I=[209.141.58.25]:587: 535 Incorrect authentication data ([email protected])
| 2021-01-16 18:58:04.296 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.166] I=[209.141.58.25]:587: 535 Incorrect authentication data (set_id=sqlserver)
| 2021-01-16 18:58:05.359 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.53] I=[209.141.58.25]:587: 535 Incorrect authentication data ([email protected])
| 2021-01-16 18:58:06.493 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.121] I=[209.141.58.25]:587: 535 Incorrect authentication data (set_id=stagiaire)
`-
It's catching people trying to break in via SSH just fine. In fact my recidive list is getting so big I may have to clean it out soon just to make sure that it's not slowing down internet processing. But no matter what I try, it keeps saying all lines missed in the log. Even that log file is a snip of the actual log that shows actual failures.
Help?
--
Dan Egli
From my Test Server
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
|
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
