Re: [Fail2ban-users] need help with filterd/postfix.conf

Mon, 04 May 2020 17:00:10 -0700 

On 5/4/2020 4:25 PM, Graham wrote:

On Mon, 4 May 2020, Doug Preston via Fail2ban-users wrote:


Date: Mon, 4 May 2020 23:24:07
From: Doug Preston via Fail2ban-users <fail2ban-users@lists.sourceforge.net> 
Reply-To: Doug Preston <dlpres...@dlld.com>
To: fail2ban-users@lists.sourceforge.net
Subject: [Fail2ban-users] need help with filterd/postfix.conf

I am tired of the spam
I need to add a line to ban a word in the machine name in my filter.d/postfix.conf 

Log entry
May  4 08:20:37 mail postfix/smtpd[9592]: connect from mail-a.webstudioseventyeight.com[170.130.69.8] 

I am trying this
mdpr-normal =^connect from ([a-z-0-9]*\.webstudio[A-Z-0-9]*\w+\.com)[<HOST>] 



Hello Doug,
    I am no expert in Fail2Ban, and have not used it with Postfix, but until somebody with better information joins in, perhaps I might be able to nudge you towards your goal. 

    As I have hinted, I could be wrong, but ...
 - the caret "^" indicates the start of a line.  There is a date and time before the "connect from", so perhaps there should be no caret.
 - the range "[a-z]" is not the same as the range "[A-Z]", so perhaps the second instance should be in lower case, like the first, but perhaps it would be better to use "[[:alnum:]-]" to catch upper-case and lower-case letters, and digits, and the hyphen 

 - I do not know that the "\w+" is necessary.

    Taken together, that would give an expression like:-
mdpr-normal = connect from ([[:alnum:]-]+\.webstudio[[:alnum:]-]+\.com)[<HOST>] 

    I hope that this helps until better advice is provided.

    Good luck,


I copied the entries from maillog as follows

connect from mail-a.webstudioeightytwo.com[144.172.84.92]
connect from mail-a.webstudioeighty.com[107.175.41.64]

I tried it, still not matching when I try

fail2ban-regex /home/dlpreston/mylog.log /etc/fail2ban/filter.d/postfix.conf

 I get

Running tests
=============

Use   failregex filter file : postfix, basedir: /etc/fail2ban
Use      datepattern : Default Detectors
Use         log file : /home/mydir/mylog.log
Use         encoding : UTF-8


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:

Lines: 2 lines, 0 ignored, 0 matched, 2 missed
[processed in 0.03 sec]

|- Missed line(s):
|  connect from mail-a.webstudioeightytwo.com[144.172.84.92]
|  connect from mail-a.webstudioeighty.com[107.175.41.64]


_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Reply via email to