[Assp-test] fail2ban ASSP filter

Sun, 01 Jul 2018 04:09:54 -0700 

Does any have a good fail2ban filter for ASSP?

I have this filter:

# Fail2Ban filter for Anti-Spam SMTP Proxy Server also known as ASSP
#
#    Honmepage:   
http://www.magicvillage.de/~Fritz_Borgstedt/assp/0003D91C-8000001C/ 
<http://www.magicvillage.de/~Fritz_Borgstedt/assp/0003D91C-8000001C/>
#    ProjektSite: http://sourceforge.net/projects/assp/?source=directory 
<http://sourceforge.net/projects/assp/?source=directory>
#
#

[Definition]

__assp_actions = (?:dropping|refusing)

failregex = ^(:? \[SSL-out\])? <HOST> max sender authentication errors 
\(\d{,3}\) exceeded -- %(__assp_actions)s connection - after reply: \d{3} 
\d{1}\.\d{1}.\d{1} Error: authentication failed: \w+;$
                        ^(?: \[SSL-out\])? <HOST> SSL negotiation with client 
failed: SSL accept attempt failed with unknown error.*:unknown protocol;$
                        ^ Blocking <HOST> - too much AUTH errors \(\d{,3}\);$
                        ^\[SSL-in\] \[TLS-out\] <HOST> warning: SMTP 
authentication failed;$
                        ^\s*(?:[\w\-]+\s+)*(?:\[\S+\]\s+)*<HOST> \[SMTP Error\] 
535 5\.7\.8 Error: authentication failed:\s+(?:\S+|Connection lost to 
authentication server|Invalid authentication mechanism|Invalid base64 data in 
continued response)?$

ignoreregex =

# DEV Notes:
#
# Examples: Apr-27-13 02:33:09 Blocking 217.194.197.97 - too much AUTH errors 
(41);
#           Dec-29-12 17:10:31 [SSL-out] 200.247.87.82 SSL negotiation with 
client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL 
routines:SSL23_GET_CLIENT_HELLO:unknown protoc$
#           Dec-30-12 04:01:47 [SSL-out] 81.82.232.66 max sender authentication 
errors (5) exceeded
#
# Author: Enrico Labedzki (enrico.labed...@deiwos.de 
<mailto:enrico.labed...@deiwos.de>)

but it does not find any matches when I run fail2ban-regex to test it.

I want to match lines like this:

Jul-01-18 20:15:12 [Worker_1] [SSL-in] [TLS-out] 176.112.188.2 warning: SMTP 
authentication failed on 127.0.0.1

Any samples or suggestions?

Thanks,

James.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Reply via email to