Hi there, I’m a bit of a noob at the whole fail2ban thing, and I’m wondering if 
you might know how to add something to it. In the past 24 hours, I’ve had a 
couple of IP addresses that are doing something strange. I’m not exactly sure 
if they’re attempting to break into the mail server, but I’d like to see about 
banning them.

I attempted to add more to the failregex, but I couldn’t get it to work.

Its coming in on smtp, and its for smtp-out, under mta.

Here’s what it looks like:

14:27:39 myserver smtpd[8069]: 7ddc60038b38020a mta event=connecting 
address=smtp+tls://104.28.23.114:25 <smtp+tls://104.28.23.114:25> 
host=104.28.23.114
14:27:54 myserver smtpd[8069]: smtp-out: Enabling route [] <-> 104.28.22.114 
(104.28.22.114)
14:28:15 myserver smtpd[989]: smtp-out: Enabling route [] <-> 
IPv6:2400:cb00:2048:1::681c:1672 (2400:cb00:2048:1::681c:1672)
14:28:31 myserver smtpd[989]: edd53f4be38a36a0 mta event=error 
reason=Connection timeout
14:28:31 myserver smtpd[989]: smtp-out: Disabling route [] <-> 
IPv6:2400:cb00:2048:1::681c:1772 (2400:cb00:2048:1::681c:1772) for 15s
14:28:45 myserver smtpd[8069]: 7ddc60038b38020a mta event=error 
reason=Connection timeout

Actually there would be a few other attempts in between line 2 and 6 there. 
Thus, I’d like to create a filter that can figure out the hex thing before the 
'mta event' as that is what ties the first part’s attempt to the fact that its 
failing. Then I’d like to ban that host, both the IPv4 and IPv6 ones that are 
doing what ever it is they’re attempting to do.

Does this make sense?

This was my attempt:

^.*mta event=connecting address=<HOST>.*\n.*smtp-out: Enabling route\s*$

But it didn’t work. Any help you could point my way, or explain on how to write 
a useful filter for fail2ban would be appreciated.

Thank you for your time,

Jody

Attachment: smime.p7s
Description: S/MIME cryptographic signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Reply via email to