fail2ban v1.0.1.1
Fail2ban-regex matches the regex in the log files. Fail2ban itself does not.
---[ filter ]----
failregex = ^.*SMTPI.*\(\[<HOST>\].*\).*?failed to open.*\:(465|587)\..*Error
Code=unknown user account.*$
^.*SMTPI.*\(\[<HOST>\].*\).*?failed to open.*\:(465|587)\..*Error
Code=account is not available on this system.*$
^.*\[<HOST>\]\:.* failed to accept a secure connection for DOMAIN.*$
^.*\[<HOST>\]\:.* 476 connections from your host are denied.*
^.* from \[<HOST>\]\:.* Error Code\=incorrect password
ignoreregex = 127\.0\.0\.1
datepattern = %%H:%%M:%%S
----[ end ]----
----[ typical log entry (probably wrapped) ]----
16:53:05.720 1 ACCOUNT(sohnen-moe.cherie) login(SMTP) from
[60.169.66.113]:43301(TLS) failed. Error Code=incorrect password
----[ end ]----
There many more entries that have 127.0.0.1 as the <HOST> than there are actual
IPs. Hence the ignoreregex.
Cound this issue be possibly related to the "ignoreregex"?
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
