On 5/4/2020 4:57 PM, Doug Preston via Fail2ban-users wrote:
On 5/4/2020 4:25 PM, Graham wrote:
On Mon, 4 May 2020, Doug Preston via Fail2ban-users wrote:
Date: Mon, 4 May 2020 23:24:07
From: Doug Preston via Fail2ban-users
<fail2ban-users@lists.sourceforge.net>
Reply-To: Doug Preston <dlpres...@dlld.com>
To: fail2ban-users@lists.sourceforge.net
Subject: [Fail2ban-users] need help with filterd/postfix.conf
I am tired of the spam
I need to add a line to ban a word in the machine name in my
filter.d/postfix.conf
Log entry
May 4 08:20:37 mail postfix/smtpd[9592]: connect from
mail-a.webstudioseventyeight.com[170.130.69.8]
I am trying this
mdpr-normal =^connect from
([a-z-0-9]*\.webstudio[A-Z-0-9]*\w+\.com)[<HOST>]
Hello Doug,
I am no expert in Fail2Ban, and have not used it with Postfix,
but until somebody with better information joins in, perhaps I might
be able to nudge you towards your goal.
As I have hinted, I could be wrong, but ...
- the caret "^" indicates the start of a line. There is a date and
time before the "connect from", so perhaps there should be no caret.
- the range "[a-z]" is not the same as the range "[A-Z]", so perhaps
the second instance should be in lower case, like the first, but
perhaps it would be better to use "[[:alnum:]-]" to catch upper-case
and lower-case letters, and digits, and the hyphen
- I do not know that the "\w+" is necessary.
Taken together, that would give an expression like:-
mdpr-normal = connect from
([[:alnum:]-]+\.webstudio[[:alnum:]-]+\.com)[<HOST>]
I hope that this helps until better advice is provided.
Good luck,
I copied the entries from maillog as follows
connect from mail-a.webstudioeightytwo.com[144.172.84.92]
connect from mail-a.webstudioeighty.com[107.175.41.64]
I tried it, still not matching when I try
fail2ban-regex /home/dlpreston/mylog.log
/etc/fail2ban/filter.d/postfix.conf
I get
Running tests
=============
Use failregex filter file : postfix, basedir: /etc/fail2ban
Use datepattern : Default Detectors
Use log file : /home/mydir/mylog.log
Use encoding : UTF-8
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
Lines: 2 lines, 0 ignored, 0 matched, 2 missed
[processed in 0.03 sec]
|- Missed line(s):
| connect from mail-a.webstudioeightytwo.com[144.172.84.92]
| connect from mail-a.webstudioeighty.com[107.175.41.64]
I figure it out, I was trying to add a new mdpr-normal line, I need
to add my regex as the next line of the existing mdre-normal line.
Thanks for the help. I've been reading this mail list for years and
pull tricks out of it but I hadnt seen this before.
Now allemails from *.webstudio*.com will trigger fail2ban to ban their
IP. I hate spammers
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
