Hi,
you should get different output.
Note that you have 5796 hits for tai64n which means that it recognized that
many lines starting with a date / time stamp.
There should be a section where it identifies IPs.
The important part is a section that looks like this:
Results
=======
Failregex
|- Regular expressions:
| [1] CHKUSER rejected relaying: from <.*:> remote <.*:.*:<HOST>> rcpt <.*> :
client not allowed to relay
|
`- Number of matches:
[1] 35 match(es)
If this has matches, then it is matches against your failregex. (35 in my case)
my complete output looks like this:
****snip****
fail2ban-regex /var/log/qmail/smtp/current "CHKUSER rejected relaying: from
<.*:> remote <.*:.*:<HOST>> rcpt <.*> : client not allowed to relay"
Running tests
=============
Use regex line : CHKUSER rejected relaying: from <.*:> remote <.*:....
Use log file : /var/log/qmail/smtp/current
Results
=======
Failregex
|- Regular expressions:
| [1] CHKUSER rejected relaying: from <.*:> remote <.*:.*:<HOST>> rcpt <.*> :
client not allowed to relay
|
`- Number of matches:
[1] 35 match(es)
Ignoreregex
|- Regular expressions:
|
`- Number of matches:
Summary
=======
Addresses found:
[1]
186.129.200.133 (Sat Apr 30 02:37:49 2011)
186.129.200.133 (Sat Apr 30 02:38:28 2011)
186.129.200.133 (Sat Apr 30 02:38:49 2011)
186.129.200.133 (Sat Apr 30 02:39:11 2011)
190.149.150.115 (Sat Apr 30 04:44:06 2011)
221.5.15.185 (Sat Apr 30 07:39:00 2011)
173.212.197.14 (Sat Apr 30 21:34:53 2011)
2.89.80.14 (Sun May 01 02:38:23 2011)
221.5.15.185 (Sun May 01 02:38:42 2011)
221.5.15.185 (Sun May 01 22:02:30 2011)
178.187.135.228 (Mon May 02 11:26:18 2011)
178.187.135.228 (Mon May 02 11:26:41 2011)
178.187.135.228 (Mon May 02 11:26:58 2011)
178.187.135.228 (Mon May 02 11:27:15 2011)
180.180.236.216 (Mon May 02 14:39:32 2011)
180.180.236.216 (Mon May 02 14:40:08 2011)
180.180.236.216 (Mon May 02 14:40:45 2011)
180.180.236.216 (Mon May 02 14:41:14 2011)
221.5.15.185 (Mon May 02 17:53:03 2011)
123.19.174.69 (Tue May 03 02:02:36 2011)
190.234.85.198 (Tue May 03 02:12:38 2011)
221.5.13.193 (Tue May 03 16:02:05 2011)
178.95.2.102 (Tue May 03 22:30:23 2011)
178.95.2.102 (Tue May 03 22:31:24 2011)
178.95.2.102 (Tue May 03 22:31:55 2011)
178.95.2.102 (Tue May 03 22:32:59 2011)
190.233.69.51 (Wed May 04 01:16:13 2011)
117.2.140.171 (Wed May 04 02:34:00 2011)
88.185.226.159 (Wed May 04 23:42:27 2011)
88.185.226.159 (Wed May 04 23:43:11 2011)
88.185.226.159 (Wed May 04 23:43:37 2011)
88.185.226.159 (Wed May 04 23:44:01 2011)
186.2.3.244 (Thu May 05 03:13:41 2011)
221.5.14.62 (Thu May 05 17:33:45 2011)
190.239.206.8 (Fri May 06 01:24:38 2011)
Date template hits:
0 hit(s): Month Day Hour:Minute:Second
0 hit(s): Weekday Month Day Hour:Minute:Second Year
0 hit(s): Weekday Month Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Day-Month-Year Hour:Minute:Second[.Millisecond]
8502 hit(s): TAI64N
0 hit(s): Epoch
Success, the total number of match is 35
However, look at the above section 'Running tests' which could contain important
information.
****snip****
Hope this helps?
Martin
--
Martin Waschbüsch
IT-Dienstleistungen
Lautensackstr. 16
80687 München
Telefon: +49 89 57005708
Fax: +49 89 57868023
Mobil: +49 170 2189794
serv...@waschbuesch.it
http://www.waschbuesch.it
Am 06.05.2011 um 10:08 schrieb Délsio Cabá:
> Hi,
> I also do get hits:
>
> Date template hits:
> 0 hit(s): MONTH Day Hour:Minute:Second
> 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
> 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
> 0 hit(s): Year/Month/Day Hour:Minute:Second
> 0 hit(s): Day/Month/Year Hour:Minute:Second
> 0 hit(s): Day/MONTH/Year:Hour:Minute:Second
> 0 hit(s): Month/Day/Year:Hour:Minute:Second
> 0 hit(s): Year-Month-Day Hour:Minute:Second
> 0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
> 0 hit(s): Day-Month-Year Hour:Minute:Second
> 5796 hit(s): TAI64N
> 0 hit(s): Epoch
> 0 hit(s): ISO 8601
> 0 hit(s): Hour:Minute:Second
> 0 hit(s): <Month/Day/Year@Hour:Minute:Second>
>
> Success, the total number of match is 134
>
>
> But they are in TAI64N, isn't that a problem? Will fail2ban be able to get
> the time from that?
>
>
>
> 2011/5/6 Martin Waschbüsch IT-Dienstleistungen <serv...@waschbuesch.it>
> You might try:
>
> failregex: CHKUSER rejected relaying: from <.*:> remote <.*:.*:<HOST>> rcpt
> <.*> : client not allowed to relay
>
> when I did
>
> fail2ban-regex /var/log/qmail/smtp/current "CHKUSER rejected relaying: from
> <.*:> remote <.*:.*:<HOST>> rcpt <.*> : client not allowed to relay"
>
> I got 35 hits.
>
> Martin
>
> PS: All I did was to replace variable strings in the log line with wildcard .*
>
>
> --
> Martin Waschbüsch
> IT-Dienstleistungen
> Lautensackstr. 16
> 80687 München
>
> Telefon: +49 89 57005708
> Fax: +49 89 57868023
> Mobil: +49 170 2189794
> serv...@waschbuesch.it
> http://www.waschbuesch.it
>
> Am 06.05.2011 um 09:07 schrieb Délsio Cabá:
>
> > Hi all,
> >
> > I agree, but, fail2ban is being used with qmailtoaster as seen on this
> > guide:
> > http://wiki.qmailtoaster.com/index.php?title=Fail2Ban&redirect=no&printable=yes
> > But that guide and many others I have found on the net don't include a
> > regex for my case: "client not allowed to relay"
> > My problem is really to get a valid regex.
> >
> > I will post it on fail2ban mailing list also. But it's important to post
> > this here also
> >
> > Thanks
> >
> >
> > 2011/5/6 Martin Waschbüsch IT-Dienstleistungen <serv...@waschbuesch.it>
> > That is not true. fail2ban understands tai64n timestamps as used below.
> >
> > Btw., for fail2ban specific questions, it makes more sense to ask on the
> > fail2ban mailing list. :-)
> >
> > Martin
> >
> > --
> > Martin Waschbüsch
> > IT-Dienstleistungen
> > Lautensackstr. 16
> > 80687 München
> >
> > Telefon: +49 89 57005708
> > Fax: +49 89 57868023
> > Mobil: +49 170 2189794
> > serv...@waschbuesch.it
> > http://www.waschbuesch.it
> >
> > Am 06.05.2011 um 08:58 schrieb Finn Buhelt:
> >
> > > Hi.
> > >
> > > Just out of the head I think it's tricky because fail2ban needs a known
> > > timestamp to check against, and I cannot recall fail2ban having this
> > > timestamp listed as valid.
> > >
> > > But as said -just out of the head.
> > > Regards,
> > > Finn
> > >
> > >
> > >
> > > On 06-05-2011 08:10, Délsio Cabá wrote:
> > >> Hi all
> > >>
> > >> I am getting a lot of DDOS on smtp connection logs:
> > >>
> > >> @400000004dc390330ffb50f4 CHKUSER accepted sender: from
> > >> <r...@mydomain.com::> remote <demagnify:unknown:173.212.197.14> rcpt <>
> > >> : sender accepted
> > >> @400000004dc390340c9e201c CHKUSER rejected rcpt: from
> > >> <r...@mydomain.com::> remote <demagnify:unknown:173.212.197.14> rcpt
> > >> <m...@zicel.ru> : invalid rcpt MX domain
> > >> ..
> > >> @400000004dc3905511aba4bc CHKUSER accepted sender: from
> > >> <r...@ns.mozdesigners.com::> remote <byte:unknown:173.212.197.14> rcpt
> > >> <> : sender accepted
> > >> @400000004dc390562cb394a4 CHKUSER rejected relaying: from
> > >> <r...@ns.mozdesigners.com::> remote <byte:unknown:173.212.197.14> rcpt
> > >> <mad...@usc.es> : client not allowed to relay
> > >>
> > >> I need to block this using fail2ban but the regex is quite complex. I
> > >> have tried this:
> > >> "<HOST>\> rcpt \S+ : client not allowed to relay$"
> > >>
> > >> But it doesn't seam to be working as expected:
> > >> fail2ban-regex /var/log/qmail/smtp/current "<HOST>\> rcpt \S+ : client
> > >> not allowed to relay"
> > >> ...
> > >> Date template hits:
> > >> 0 hit(s): MONTH Day Hour:Minute:Second
> > >> 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
> > >> 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
> > >> 0 hit(s): Year/Month/Day Hour:Minute:Second
> > >> 0 hit(s): Day/Month/Year Hour:Minute:Second
> > >> 0 hit(s): Day/MONTH/Year:Hour:Minute:Second
> > >> 0 hit(s): Month/Day/Year:Hour:Minute:Second
> > >> 0 hit(s): Year-Month-Day Hour:Minute:Second
> > >> 0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
> > >> 0 hit(s): Day-Month-Year Hour:Minute:Second
> > >> 1184 hit(s): TAI64N
> > >> 0 hit(s): Epoch
> > >> 0 hit(s): ISO 8601
> > >> 0 hit(s): Hour:Minute:Second
> > >> 0 hit(s): <Month/Day/Year@Hour:Minute:Second>
> > >>
> > >> Any help would be very appreciated
> > >> Thanks!
> >
> >
> > ---------------------------------------------------------------------------------
> > Qmailtoaster is sponsored by Vickers Consulting Group
> > (www.vickersconsulting.com)
> > Vickers Consulting Group offers Qmailtoaster support and installations.
> > If you need professional help with your setup, contact them today!
> > ---------------------------------------------------------------------------------
> > Please visit qmailtoaster.com for the latest news, updates, and
> > packages.
> >
> > To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
> > For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
> >
> >
> >
>
>
> ---------------------------------------------------------------------------------
> Qmailtoaster is sponsored by Vickers Consulting Group
> (www.vickersconsulting.com)
> Vickers Consulting Group offers Qmailtoaster support and installations.
> If you need professional help with your setup, contact them today!
> ---------------------------------------------------------------------------------
> Please visit qmailtoaster.com for the latest news, updates, and packages.
>
> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
>
>
>
---------------------------------------------------------------------------------
Qmailtoaster is sponsored by Vickers Consulting Group
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
If you need professional help with your setup, contact them today!
---------------------------------------------------------------------------------
Please visit qmailtoaster.com for the latest news, updates, and packages.
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
