Hi, you should get different output.
Note that you have 5796 hits for tai64n which means that it recognized that many lines starting with a date / time stamp. There should be a section where it identifies IPs. The important part is a section that looks like this: Results ======= Failregex |- Regular expressions: | [1] CHKUSER rejected relaying: from <.*:> remote <.*:.*:<HOST>> rcpt <.*> : client not allowed to relay | `- Number of matches: [1] 35 match(es) If this has matches, then it is matches against your failregex. (35 in my case) my complete output looks like this: ****snip**** fail2ban-regex /var/log/qmail/smtp/current "CHKUSER rejected relaying: from <.*:> remote <.*:.*:<HOST>> rcpt <.*> : client not allowed to relay" Running tests ============= Use regex line : CHKUSER rejected relaying: from <.*:> remote <.*:.... Use log file : /var/log/qmail/smtp/current Results ======= Failregex |- Regular expressions: | [1] CHKUSER rejected relaying: from <.*:> remote <.*:.*:<HOST>> rcpt <.*> : client not allowed to relay | `- Number of matches: [1] 35 match(es) Ignoreregex |- Regular expressions: | `- Number of matches: Summary ======= Addresses found: [1] 186.129.200.133 (Sat Apr 30 02:37:49 2011) 186.129.200.133 (Sat Apr 30 02:38:28 2011) 186.129.200.133 (Sat Apr 30 02:38:49 2011) 186.129.200.133 (Sat Apr 30 02:39:11 2011) 190.149.150.115 (Sat Apr 30 04:44:06 2011) 221.5.15.185 (Sat Apr 30 07:39:00 2011) 173.212.197.14 (Sat Apr 30 21:34:53 2011) 2.89.80.14 (Sun May 01 02:38:23 2011) 221.5.15.185 (Sun May 01 02:38:42 2011) 221.5.15.185 (Sun May 01 22:02:30 2011) 178.187.135.228 (Mon May 02 11:26:18 2011) 178.187.135.228 (Mon May 02 11:26:41 2011) 178.187.135.228 (Mon May 02 11:26:58 2011) 178.187.135.228 (Mon May 02 11:27:15 2011) 180.180.236.216 (Mon May 02 14:39:32 2011) 180.180.236.216 (Mon May 02 14:40:08 2011) 180.180.236.216 (Mon May 02 14:40:45 2011) 180.180.236.216 (Mon May 02 14:41:14 2011) 221.5.15.185 (Mon May 02 17:53:03 2011) 123.19.174.69 (Tue May 03 02:02:36 2011) 190.234.85.198 (Tue May 03 02:12:38 2011) 221.5.13.193 (Tue May 03 16:02:05 2011) 178.95.2.102 (Tue May 03 22:30:23 2011) 178.95.2.102 (Tue May 03 22:31:24 2011) 178.95.2.102 (Tue May 03 22:31:55 2011) 178.95.2.102 (Tue May 03 22:32:59 2011) 190.233.69.51 (Wed May 04 01:16:13 2011) 117.2.140.171 (Wed May 04 02:34:00 2011) 88.185.226.159 (Wed May 04 23:42:27 2011) 88.185.226.159 (Wed May 04 23:43:11 2011) 88.185.226.159 (Wed May 04 23:43:37 2011) 88.185.226.159 (Wed May 04 23:44:01 2011) 186.2.3.244 (Thu May 05 03:13:41 2011) 221.5.14.62 (Thu May 05 17:33:45 2011) 190.239.206.8 (Fri May 06 01:24:38 2011) Date template hits: 0 hit(s): Month Day Hour:Minute:Second 0 hit(s): Weekday Month Day Hour:Minute:Second Year 0 hit(s): Weekday Month Day Hour:Minute:Second 0 hit(s): Year/Month/Day Hour:Minute:Second 0 hit(s): Day/Month/Year:Hour:Minute:Second 0 hit(s): Year-Month-Day Hour:Minute:Second 0 hit(s): Day-Month-Year Hour:Minute:Second[.Millisecond] 8502 hit(s): TAI64N 0 hit(s): Epoch Success, the total number of match is 35 However, look at the above section 'Running tests' which could contain important information. ****snip**** Hope this helps? Martin -- Martin Waschbüsch IT-Dienstleistungen Lautensackstr. 16 80687 München Telefon: +49 89 57005708 Fax: +49 89 57868023 Mobil: +49 170 2189794 serv...@waschbuesch.it http://www.waschbuesch.it Am 06.05.2011 um 10:08 schrieb Délsio Cabá: > Hi, > I also do get hits: > > Date template hits: > 0 hit(s): MONTH Day Hour:Minute:Second > 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year > 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second > 0 hit(s): Year/Month/Day Hour:Minute:Second > 0 hit(s): Day/Month/Year Hour:Minute:Second > 0 hit(s): Day/MONTH/Year:Hour:Minute:Second > 0 hit(s): Month/Day/Year:Hour:Minute:Second > 0 hit(s): Year-Month-Day Hour:Minute:Second > 0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond] > 0 hit(s): Day-Month-Year Hour:Minute:Second > 5796 hit(s): TAI64N > 0 hit(s): Epoch > 0 hit(s): ISO 8601 > 0 hit(s): Hour:Minute:Second > 0 hit(s): <Month/Day/Year@Hour:Minute:Second> > > Success, the total number of match is 134 > > > But they are in TAI64N, isn't that a problem? Will fail2ban be able to get > the time from that? > > > > 2011/5/6 Martin Waschbüsch IT-Dienstleistungen <serv...@waschbuesch.it> > You might try: > > failregex: CHKUSER rejected relaying: from <.*:> remote <.*:.*:<HOST>> rcpt > <.*> : client not allowed to relay > > when I did > > fail2ban-regex /var/log/qmail/smtp/current "CHKUSER rejected relaying: from > <.*:> remote <.*:.*:<HOST>> rcpt <.*> : client not allowed to relay" > > I got 35 hits. > > Martin > > PS: All I did was to replace variable strings in the log line with wildcard .* > > > -- > Martin Waschbüsch > IT-Dienstleistungen > Lautensackstr. 16 > 80687 München > > Telefon: +49 89 57005708 > Fax: +49 89 57868023 > Mobil: +49 170 2189794 > serv...@waschbuesch.it > http://www.waschbuesch.it > > Am 06.05.2011 um 09:07 schrieb Délsio Cabá: > > > Hi all, > > > > I agree, but, fail2ban is being used with qmailtoaster as seen on this > > guide: > > http://wiki.qmailtoaster.com/index.php?title=Fail2Ban&redirect=no&printable=yes > > But that guide and many others I have found on the net don't include a > > regex for my case: "client not allowed to relay" > > My problem is really to get a valid regex. > > > > I will post it on fail2ban mailing list also. But it's important to post > > this here also > > > > Thanks > > > > > > 2011/5/6 Martin Waschbüsch IT-Dienstleistungen <serv...@waschbuesch.it> > > That is not true. fail2ban understands tai64n timestamps as used below. > > > > Btw., for fail2ban specific questions, it makes more sense to ask on the > > fail2ban mailing list. :-) > > > > Martin > > > > -- > > Martin Waschbüsch > > IT-Dienstleistungen > > Lautensackstr. 16 > > 80687 München > > > > Telefon: +49 89 57005708 > > Fax: +49 89 57868023 > > Mobil: +49 170 2189794 > > serv...@waschbuesch.it > > http://www.waschbuesch.it > > > > Am 06.05.2011 um 08:58 schrieb Finn Buhelt: > > > > > Hi. > > > > > > Just out of the head I think it's tricky because fail2ban needs a known > > > timestamp to check against, and I cannot recall fail2ban having this > > > timestamp listed as valid. > > > > > > But as said -just out of the head. > > > Regards, > > > Finn > > > > > > > > > > > > On 06-05-2011 08:10, Délsio Cabá wrote: > > >> Hi all > > >> > > >> I am getting a lot of DDOS on smtp connection logs: > > >> > > >> @400000004dc390330ffb50f4 CHKUSER accepted sender: from > > >> <r...@mydomain.com::> remote <demagnify:unknown:173.212.197.14> rcpt <> > > >> : sender accepted > > >> @400000004dc390340c9e201c CHKUSER rejected rcpt: from > > >> <r...@mydomain.com::> remote <demagnify:unknown:173.212.197.14> rcpt > > >> <m...@zicel.ru> : invalid rcpt MX domain > > >> .. > > >> @400000004dc3905511aba4bc CHKUSER accepted sender: from > > >> <r...@ns.mozdesigners.com::> remote <byte:unknown:173.212.197.14> rcpt > > >> <> : sender accepted > > >> @400000004dc390562cb394a4 CHKUSER rejected relaying: from > > >> <r...@ns.mozdesigners.com::> remote <byte:unknown:173.212.197.14> rcpt > > >> <mad...@usc.es> : client not allowed to relay > > >> > > >> I need to block this using fail2ban but the regex is quite complex. I > > >> have tried this: > > >> "<HOST>\> rcpt \S+ : client not allowed to relay$" > > >> > > >> But it doesn't seam to be working as expected: > > >> fail2ban-regex /var/log/qmail/smtp/current "<HOST>\> rcpt \S+ : client > > >> not allowed to relay" > > >> ... > > >> Date template hits: > > >> 0 hit(s): MONTH Day Hour:Minute:Second > > >> 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year > > >> 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second > > >> 0 hit(s): Year/Month/Day Hour:Minute:Second > > >> 0 hit(s): Day/Month/Year Hour:Minute:Second > > >> 0 hit(s): Day/MONTH/Year:Hour:Minute:Second > > >> 0 hit(s): Month/Day/Year:Hour:Minute:Second > > >> 0 hit(s): Year-Month-Day Hour:Minute:Second > > >> 0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond] > > >> 0 hit(s): Day-Month-Year Hour:Minute:Second > > >> 1184 hit(s): TAI64N > > >> 0 hit(s): Epoch > > >> 0 hit(s): ISO 8601 > > >> 0 hit(s): Hour:Minute:Second > > >> 0 hit(s): <Month/Day/Year@Hour:Minute:Second> > > >> > > >> Any help would be very appreciated > > >> Thanks! > > > > > > --------------------------------------------------------------------------------- > > Qmailtoaster is sponsored by Vickers Consulting Group > > (www.vickersconsulting.com) > > Vickers Consulting Group offers Qmailtoaster support and installations. > > If you need professional help with your setup, contact them today! > > --------------------------------------------------------------------------------- > > Please visit qmailtoaster.com for the latest news, updates, and > > packages. > > > > To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com > > For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com > > > > > > > > > --------------------------------------------------------------------------------- > Qmailtoaster is sponsored by Vickers Consulting Group > (www.vickersconsulting.com) > Vickers Consulting Group offers Qmailtoaster support and installations. > If you need professional help with your setup, contact them today! > --------------------------------------------------------------------------------- > Please visit qmailtoaster.com for the latest news, updates, and packages. > > To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com > For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com > > > --------------------------------------------------------------------------------- Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! --------------------------------------------------------------------------------- Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com