Hi, Same behavior, it does get some hits, but it doesn't ban. Other fail2ban filters are working except the one from qmail.
fail2ban-regex /var/log/qmail/smtp/current /etc/fail2ban/filter.d/qmail-smtp.conf Date template hits: 0 hit(s): MONTH Day Hour:Minute:Second 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second 0 hit(s): Year/Month/Day Hour:Minute:Second 0 hit(s): Day/Month/Year Hour:Minute:Second 0 hit(s): Day/MONTH/Year:Hour:Minute:Second 0 hit(s): Month/Day/Year:Hour:Minute:Second 0 hit(s): Year-Month-Day Hour:Minute:Second 0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond] 0 hit(s): Day-Month-Year Hour:Minute:Second 6347 hit(s): TAI64N 0 hit(s): Epoch 0 hit(s): ISO 8601 0 hit(s): Hour:Minute:Second 0 hit(s): <Month/Day/Year@Hour:Minute:Second> Success, the total number of match is 168 [delsio@ns ~]# fail2ban-client status qmail-smtp Status for the jail: qmail-smtp |- filter | |- File list: /var/log/qmail/smtp/current | |- Currently failed: 0 | `- Total failed: 0 `- action |- Currently banned: 0 | `- IP list: `- Total banned: 0 2011/5/6 Toma Bogdan <tbog...@direkt.ro> > On 5/6/2011 9:10 AM, Délsio Cabá wrote: > > Hi all > > I am getting a lot of DDOS on smtp connection logs: > > @400000004dc390330ffb50f4 CHKUSER accepted sender: from > <r...@mydomain.com::> <r...@mydomain.com::> remote > <demagnify:unknown:173.212.197.14> rcpt <> : sender accepted > @400000004dc390340c9e201c CHKUSER rejected rcpt: from > <r...@mydomain.com::> <r...@mydomain.com::> remote > <demagnify:unknown:173.212.197.14> rcpt <m...@zicel.ru> : invalid rcpt MX > domain > .. > @400000004dc3905511aba4bc CHKUSER accepted sender: from > <r...@ns.mozdesigners.com::> <r...@ns.mozdesigners.com::> remote > <byte:unknown:173.212.197.14> rcpt <> : sender accepted > @400000004dc390562cb394a4 CHKUSER rejected relaying: from > <r...@ns.mozdesigners.com::> <r...@ns.mozdesigners.com::> remote > <byte:unknown:173.212.197.14> rcpt <mad...@usc.es> : client not allowed to > relay > > I need to block this using fail2ban but the regex is quite complex. I have > tried this: > "<HOST>\> rcpt \S+ : client not allowed to relay$" > > But it doesn't seam to be working as expected: > fail2ban-regex /var/log/qmail/smtp/current "<HOST>\> rcpt \S+ : client not > allowed to relay" > ... > Date template hits: > 0 hit(s): MONTH Day Hour:Minute:Second > 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year > 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second > 0 hit(s): Year/Month/Day Hour:Minute:Second > 0 hit(s): Day/Month/Year Hour:Minute:Second > 0 hit(s): Day/MONTH/Year:Hour:Minute:Second > 0 hit(s): Month/Day/Year:Hour:Minute:Second > 0 hit(s): Year-Month-Day Hour:Minute:Second > 0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond] > 0 hit(s): Day-Month-Year Hour:Minute:Second > 1184 hit(s): TAI64N > 0 hit(s): Epoch > 0 hit(s): ISO 8601 > 0 hit(s): Hour:Minute:Second > 0 hit(s): <Month/Day/Year@Hour:Minute:Second> > > Any help would be very appreciated > Thanks! > > try this > failregex = CHKUSER .* <\w*:\w*:<HOST>> .* : client not allowed to relay$ > > check it with : > fail2ban-regex /var/log/qmail/smtp/current > /etc/fail2ban/filters/qmail-smtp-filter.conf > > > -- > T. Bogdan > Network/Systems Securitywww.direkt.ro > >
