On 15/07/2021 23:43, Alex wrote:
Hi,
I'm using fail2ban-0.11 on fedora33 and would like to add the
following syslog entry to my postfix file:
Jul 15 18:41:26 cipher postfix/submission/smtpd[1935971]: warning:
wsip-24-249-23-200.ks.ks.cox.net[24.249.23.200]: SASL LOGIN
authentication failed: UGFzc3dvcmQ6
I see several SASL entries in there already, but none appear to match:
mdpr-auth = warning:
mdre-auth = ^[^[]*\[<HOST>\]%(_port)s: SASL
((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?!
Connection lost to authentication server| Invalid authentication
mechanism)
mdre-auth2= ^[^[]*\[<HOST>\]%(_port)s: SASL
((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?!
Connection lost to authentication server)
Is the proper procedure to create an mdre-auth3, then add it to the
mdre-aggressive line?
mdre-aggressive = %(mdre-auth2)s
%(mdre-normal)s
It is certainly intended that this line should trigger a ban iff postfix
jail uses
mode = extra
or
mode = aggressive
But I think there may be a problem with the mdre-auth2 regex; I am
experimenting with removing '^[^[]*' from the front of it (in my
postfix.local).
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
