Re: [Fail2ban-users] Fail2ban ignoring exim completely

[Ron Johnson]

I wasn’t trying to be right or wrong. I was just pointing out what I noticed as different.   Ron   Sent from Mail for Windows 10   From: Dan Egli Sent: Sunday, January 17, 2021 12:01 PM To: fail2ban-users@lists.sourceforge.net Subject: Re: [Fail2ban-users] Fail2ban ignoring exim completely   Actually, you are wrong. The ones with set_id=<username> and set_id=<username@site> are equally missed. You may be seeing an artifact of many mail clients that converts name@site into an email link, marking it as such. But if you look carefully,  the first line where it says set_id=survey2 and the second line where it says set_id=ne...@newideatest.site are both flagged as missed by fail2ban-regex. There are six lines in the test sample, and six "missed" lines.   On 1/17/2021 3:13 AM, Ron Johnson wrote: The one thing I immediately notice, and I’m sure everyone else has well, the ones that seem to be processed properly do not have the domain portion of the input as opposed to the problematic  ones which have domain set. Have you tried without domain set against nenad, mrs, myp etc etc to see if that works?   Ron     Sent from Mail for Windows 10   From: Nick Howitt Sent: Sunday, January 17, 2021 1:49 AM To: fail2ban-users@lists.sourceforge.net Subject: Re: [Fail2ban-users] Fail2ban ignoring exim completely   Shouldn't it be "\[<HOST>\] and not just "<HOST>"? On 17/01/2021 02:15, Dan Egli wrote: Hey people, I don't know what's going on with F2B lately, but it seems to be completely ignoring anything happing with exim. Even fail2ban-regex won't pick anything up, and I tried doing it with a direct match. root@jupiter:~# cat fails.log 2021-01-16 18:57:53.840 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.74] I=[209.141.58.25]:587: 535 Incorrect authentication data (set_id=survey2) 2021-01-16 18:58:00.172 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.52] I=[209.141.58.25]:587: 535 Incorrect authentication data (set_id=ne...@newideatest.site) 2021-01-16 18:58:01.192 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.31] I=[209.141.58.25]:587: 535 Incorrect authentication data (set_id=m...@newideatest.site) 2021-01-16 18:58:04.296 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.166] I=[209.141.58.25]:587: 535 Incorrect authentication data (set_id=sqlserver) 2021-01-16 18:58:05.359 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.53] I=[209.141.58.25]:587: 535 Incorrect authentication data (set_id=m...@newideatest.site) 2021-01-16 18:58:06.493 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.121] I=[209.141.58.25]:587: 535 Incorrect authentication data (set_id=stagiaire) root@jupiter:~# fail2ban-regex fails.log "2021-01-16 18:57:53.840 fixed_login_exim4u authenticator failed for (localhost) <HOST>" Running tests ============= Use   failregex line : 2021-01-16 18:57:53.840 fixed_login_exim4u authent... Use         log file : fails.log Use         encoding : ISO-8859-1 Results ======= Failregex: 0 total Ignoreregex: 0 total Date template hits: |- [# of hits] date format |  [6] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T| ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)? `- Lines: 6 lines, 0 ignored, 0 matched, 6 missed [processed in 0.00 sec] |- Missed line(s): |  2021-01-16 18:57:53.840 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.74] I=[209.141.58.25]:587: 535 Incorrect authentication data (set_id=survey2) |  2021-01-16 18:58:00.172 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.52] I=[209.141.58.25]:587: 535 Incorrect authentication data (set_id=ne...@newideatest.site) |  2021-01-16 18:58:01.192 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.31] I=[209.141.58.25]:587: 535 Incorrect authentication data (set_id=m...@newideatest.site) |  2021-01-16 18:58:04.296 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.166] I=[209.141.58.25]:587: 535 Incorrect authentication data (set_id=sqlserver) |  2021-01-16 18:58:05.359 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.53] I=[209.141.58.25]:587: 535 Incorrect authentication data (set_id=m...@newideatest.site) |  2021-01-16 18:58:06.493 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.121] I=[209.141.58.25]:587: 535 Incorrect authentication data (set_id=stagiaire) `- root@jupiter:~# Note that it says all lines missed, but line #1 is an exact match. I also tried it without the date/time, same result: root@jupiter:~# fail2ban-regex fails.log "fixed_login_exim4u authenticator failed for (localhost) <HOST>" Running tests ============= Use   failregex line : fixed_login_exim4u authenticator failed for (local... Use         log file : fails.log Use         encoding : ISO-8859-1 Results ======= Failregex: 0 total Ignoreregex: 0 total Date template hits: |- [# of hits] date format |  [6] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T| ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)? `- Lines: 6 lines, 0 ignored, 0 matched, 6 missed [processed in 0.00 sec] |- Missed line(s): |  2021-01-16 18:57:53.840 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.74] I=[209.141.58.25]:587: 535 Incorrect authentication data (set_id=survey2) |  2021-01-16 18:58:00.172 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.52] I=[209.141.58.25]:587: 535 Incorrect authentication data (set_id=ne...@newideatest.site) |  2021-01-16 18:58:01.192 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.31] I=[209.141.58.25]:587: 535 Incorrect authentication data (set_id=m...@newideatest.site) |  2021-01-16 18:58:04.296 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.166] I=[209.141.58.25]:587: 535 Incorrect authentication data (set_id=sqlserver) |  2021-01-16 18:58:05.359 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.53] I=[209.141.58.25]:587: 535 Incorrect authentication data (set_id=m...@newideatest.site) |  2021-01-16 18:58:06.493 fixed_login_exim4u authenticator failed for (localhost) [45.142.120.121] I=[209.141.58.25]:587: 535 Incorrect authentication data (set_id=stagiaire) `- It's catching people trying to break in via SSH just fine. In fact my recidive list is getting so big I may have to clean it out soon just to make sure that it's not slowing down internet processing. But no matter what I try, it keeps saying all lines missed in the log. Even that log file is a snip of the actual log that shows actual failures. Help? -- Dan Egli From my Test Server _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users     _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users

_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users