On 11-06-19 23:09, James Moe via Fail2ban-users wrote:
fail2ban v0.10.3
linux v4.12.14-lp150.12.58-default x86_64
The second regex (...Error Code=unknown...) below is not matching the
second example. fail2ban-regex was not helpful even with --verbosity=4;
it only matched the date pattern.
The first regex matches without a problem.
Does anyone see what the error is?
# Capture dictionary attacks
# 20:24:51.463 1 IMAP-151473([114.104.162.36]:54046) failed to open
ACCOUNT(russell_first_n...@businessmastery.us) for
[114.104.162.36]:54046->[192.168.69.246]:993. Error Code=account is not
available on this system
# 17:49:22.641 1 SMTPI-025271([45.13.36.34]) failed to open
ACCOUNT(dan...@sma-inc.us) for
[45.13.36.34]:24620->[192.168.69.246]:465. Error Code=unknown user account
#
failregex = ^.*\(\[<HOST>\]\:.*\).*?Error Code=account is not available.*$
^.*\(\[<HOST>\]\:.*\).*?Error Code=unknown user account*$
datepattern = %%H:%%M:%%S
The first failure line has ":<port>" after the ip adress, but the second
line hasn't, but your regex requires the colon. Remove the requirement
for the colon and you're good.
Kind regards,
Tom
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
