One thing I should possibly also note: I'm using MailScanner, hence the sendmail service is started via ms-sendmail rather than sendmail. That is, I'm using /usr/lib/systemd/system/ms-sendmail.service (and the associated ms-sendmail-in and ms-sendmail-out, which get loaded through this file), rather than the default sendmail.service...
I've changed the journalmatch to ms-sendmail.service but that doesn't seem to help at all. Thanks in advance for assistance. --- Amir > On Mar 25, 2019, at 8:48 PM, Amir Caspi <[email protected]> wrote: > > Hi all, > > I'm setting up a new CentOS 7 server with f2b 0.9.7 (from EPEL) and I'm > having trouble with one of my sendmail rules. I set up a custom rule to ban > servers that fail SMTP AUTH and then hang up... while I would normally want > to ban these guys using the PAM failure, unfortunately the current cyrus-sasl > implementation means that saslauthd doesn't log the remote host, or send the > rhost info to PAM to log... so this is (right now) the only way to do it. > > Unfortunately, although my filter matches just fine using fail2ban-regex, the > server is never triggering that filter. > > The filter is sendmail-noauth.conf, as follows: > failregex = ^%(__prefix_line)s\w{14}: (\S+ )?\[<HOST>\]( \(may be forged\))? > did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA$ > > It's enabled in jail.local as follows, with default maxretry = 3, findtime = > 600, bantime = 600: > [sendmail-noauth] > enabled = true > port = submission,465,smtp > logpath = %(syslog_mail)s > backend = %(syslog_backend)s > > This is on CentOS 7, so I'm loading paths_fedora.conf which has syslog_mail = > /var/log/maillog and syslog_backend = systemd. Default action is mwl so I > get the email notification. > > /var/log/maillog has hundreds of lines from the same offender: > Mar 26 02:40:53 servername sm-mta[10953]: x2Q2eiHC010953: > mta9.imxonlines.co.za [91.212.150.89] (may be forged) did not issue > MAIL/EXPN/VRFY/ETRN during connection to MTA > > If I MANUALLY ban the IP using fail2ban-client, the resulting email is > looking up the correct lines from the correct logfile. > > So, in short: fail2ban-regex matches just fine, and manual banning shows that > the correct logfile is being read. But automated banning is not working. > > This same rule works just fine on my old CentOS 5 box using f2b 0.8.14. > > Can anyone help? I have no idea why it's not banning when fail2ban-regex > works fine, as does manual banning. > > Thanks! > > --- Amir >
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
