I'm trying to match lines that look like this:
Nov 17 14:59:57 shelob sendmail[23444]: sAHMxnoo023444: AUTH failure
(LOGIN): authentication failure (-13) SASL(-13): authentication failure:
checkpass failed, relay=ip-89-248-169-66.dynamic.s6n.net [89.248.169.66]
(may be forged)
The filter.d/sendmail-sasl.conf files below is not matching it. I'm using
0.8.14-1.el6 under CentOS 6.5. Testing with egrep, I can match everything
up to the dom and host patterns. Testing with fail2ban-regex and the
dom/host parts added to the pattern doesn't match any of the auth failures
in my maillog.
Here's the filter file:
# Fail2Ban filter for sendmail authentication failures
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = sendmail
failregex = ^%(__prefix_line)s\w{13}: AUTH failure \(LOGIN\):
authentication failure \(-13\) SASL\(-13\): authentication failure:
checkpass failed, relay=((?P<dom>) )?\[<HOST>\]( \(may be forged\))?$
# Author: Kenneth Porter
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
