Re: [Fail2ban-users] Fail2ban ignoring exim completely

[Dan Egli]

Actually, you are wrong. The ones with set_id=<username> and 
set_id=<username@site> are equally missed. You may be seeing an artifact 
of many mail clients that converts name@site into an email link, marking 
it as such. But if you look carefully,  the first line where it says 
set_id=survey2 and the second line where it says 
set_id=ne...@newideatest.site are both flagged as missed by 
fail2ban-regex. There are six lines in the test sample, and six "missed" 
lines.

On 1/17/2021 3:13 AM, Ron Johnson wrote:

The one thing I immediately notice, and I’m sure everyone else has 
well, the ones that seem to be processed properly do not have the 
domain portion of the input as opposed to the problematic  ones which 
have domain set. Have you tried without domain set against nenad, mrs, 
myp etc etc to see if that works?

Ron

Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=550986> for 
Windows 10

*From: *Nick Howitt <mailto:n...@howitts.co.uk>
*Sent: *Sunday, January 17, 2021 1:49 AM
*To: *fail2ban-users@lists.sourceforge.net 
<mailto:fail2ban-users@lists.sourceforge.net>
*Subject: *Re: [Fail2ban-users] Fail2ban ignoring exim completely

Shouldn't it be "\[<HOST>\] and not just "<HOST>"?

On 17/01/2021 02:15, Dan Egli wrote:

    Hey people, I don't know what's going on with F2B lately, but it
    seems to be completely ignoring anything happing with exim. Even
    fail2ban-regex won't pick anything up, and I tried doing it with a
    direct match.


    root@jupiter:~# cat fails.log
    2021-01-16 18:57:53.840 fixed_login_exim4u authenticator failed
    for (localhost) [45.142.120.74] I=[209.141.58.25]:587: 535
    Incorrect authentication data (set_id=survey2)
    2021-01-16 18:58:00.172 fixed_login_exim4u authenticator failed
    for (localhost) [45.142.120.52] I=[209.141.58.25]:587: 535
    Incorrect authentication data (set_id=ne...@newideatest.site
    <mailto:set_id=ne...@newideatest.site>)
    2021-01-16 18:58:01.192 fixed_login_exim4u authenticator failed
    for (localhost) [45.142.120.31] I=[209.141.58.25]:587: 535
    Incorrect authentication data (set_id=m...@newideatest.site
    <mailto:set_id=m...@newideatest.site>)
    2021-01-16 18:58:04.296 fixed_login_exim4u authenticator failed
    for (localhost) [45.142.120.166] I=[209.141.58.25]:587: 535
    Incorrect authentication data (set_id=sqlserver)
    2021-01-16 18:58:05.359 fixed_login_exim4u authenticator failed
    for (localhost) [45.142.120.53] I=[209.141.58.25]:587: 535
    Incorrect authentication data (set_id=m...@newideatest.site
    <mailto:set_id=m...@newideatest.site>)
    2021-01-16 18:58:06.493 fixed_login_exim4u authenticator failed
    for (localhost) [45.142.120.121] I=[209.141.58.25]:587: 535
    Incorrect authentication data (set_id=stagiaire)
    root@jupiter:~# fail2ban-regex fails.log "2021-01-16 18:57:53.840
    fixed_login_exim4u authenticator failed for (localhost) <HOST>"

    Running tests
    =============

    Use   failregex line : 2021-01-16 18:57:53.840 fixed_login_exim4u
    authent...
    Use         log file : fails.log
    Use         encoding : ISO-8859-1


    Results
    =======

    Failregex: 0 total

    Ignoreregex: 0 total

    Date template hits:
    |- [# of hits] date format
    |  [6] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T|
    ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
    `-

    Lines: 6 lines, 0 ignored, 0 matched, 6 missed
    [processed in 0.00 sec]

    |- Missed line(s):
    |  2021-01-16 18:57:53.840 fixed_login_exim4u authenticator failed
    for (localhost) [45.142.120.74] I=[209.141.58.25]:587: 535
    Incorrect authentication data (set_id=survey2)
    |  2021-01-16 18:58:00.172 fixed_login_exim4u authenticator failed
    for (localhost) [45.142.120.52] I=[209.141.58.25]:587: 535
    Incorrect authentication data (set_id=ne...@newideatest.site
    <mailto:set_id=ne...@newideatest.site>)
    |  2021-01-16 18:58:01.192 fixed_login_exim4u authenticator failed
    for (localhost) [45.142.120.31] I=[209.141.58.25]:587: 535
    Incorrect authentication data (set_id=m...@newideatest.site
    <mailto:set_id=m...@newideatest.site>)
    |  2021-01-16 18:58:04.296 fixed_login_exim4u authenticator failed
    for (localhost) [45.142.120.166] I=[209.141.58.25]:587: 535
    Incorrect authentication data (set_id=sqlserver)
    |  2021-01-16 18:58:05.359 fixed_login_exim4u authenticator failed
    for (localhost) [45.142.120.53] I=[209.141.58.25]:587: 535
    Incorrect authentication data (set_id=m...@newideatest.site
    <mailto:set_id=m...@newideatest.site>)
    |  2021-01-16 18:58:06.493 fixed_login_exim4u authenticator failed
    for (localhost) [45.142.120.121] I=[209.141.58.25]:587: 535
    Incorrect authentication data (set_id=stagiaire)
    `-
    root@jupiter:~#

    Note that it says all lines missed, but line #1 is an exact match.
    I also tried it without the date/time, same result:

    root@jupiter:~# fail2ban-regex fails.log "fixed_login_exim4u
    authenticator failed for (localhost) <HOST>"

    Running tests
    =============

    Use   failregex line : fixed_login_exim4u authenticator failed for
    (local...
    Use         log file : fails.log
    Use         encoding : ISO-8859-1


    Results
    =======

    Failregex: 0 total

    Ignoreregex: 0 total

    Date template hits:
    |- [# of hits] date format
    |  [6] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T|
    ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
    `-

    Lines: 6 lines, 0 ignored, 0 matched, 6 missed
    [processed in 0.00 sec]

    |- Missed line(s):
    |  2021-01-16 18:57:53.840 fixed_login_exim4u authenticator failed
    for (localhost) [45.142.120.74] I=[209.141.58.25]:587: 535
    Incorrect authentication data (set_id=survey2)
    |  2021-01-16 18:58:00.172 fixed_login_exim4u authenticator failed
    for (localhost) [45.142.120.52] I=[209.141.58.25]:587: 535
    Incorrect authentication data (set_id=ne...@newideatest.site
    <mailto:set_id=ne...@newideatest.site>)
    |  2021-01-16 18:58:01.192 fixed_login_exim4u authenticator failed
    for (localhost) [45.142.120.31] I=[209.141.58.25]:587: 535
    Incorrect authentication data (set_id=m...@newideatest.site
    <mailto:set_id=m...@newideatest.site>)
    |  2021-01-16 18:58:04.296 fixed_login_exim4u authenticator failed
    for (localhost) [45.142.120.166] I=[209.141.58.25]:587: 535
    Incorrect authentication data (set_id=sqlserver)
    |  2021-01-16 18:58:05.359 fixed_login_exim4u authenticator failed
    for (localhost) [45.142.120.53] I=[209.141.58.25]:587: 535
    Incorrect authentication data (set_id=m...@newideatest.site
    <mailto:set_id=m...@newideatest.site>)
    |  2021-01-16 18:58:06.493 fixed_login_exim4u authenticator failed
    for (localhost) [45.142.120.121] I=[209.141.58.25]:587: 535
    Incorrect authentication data (set_id=stagiaire)
    `-

    It's catching people trying to break in via SSH just fine. In fact
    my recidive list is getting so big I may have to clean it out soon
    just to make sure that it's not slowing down internet processing.
    But no matter what I try, it keeps saying all lines missed in the
    log. Even that log file is a snip of the actual log that shows
    actual failures.

    Help?

    -- 
    Dan Egli
    From my Test Server



    _______________________________________________
    Fail2ban-users mailing list
    Fail2ban-users@lists.sourceforge.net
    <mailto:Fail2ban-users@lists.sourceforge.net>
    https://lists.sourceforge.net/lists/listinfo/fail2ban-users
    <https://lists.sourceforge.net/lists/listinfo/fail2ban-users>



_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users