Re: [Fail2ban-users] need help with filterd/postfix.conf

Wed, 13 May 2020 16:48:42 -0700 


On 5/13/2020 10:40 AM, James Moe via Fail2ban-users wrote:

On 2020-05-12 12:37 PM, Doug Preston via Fail2ban-users wrote:


fail2ban-regex /var/log/maillog-20200510
/etc/fail2ban/filter.d/postfix.conf


   The regex I offered was tested against your samples; it matched.


I don't get any hits even though there were 163 lines with this in it.


   Provide samples of the lines that are not matching.
   And your postfix.conf filter.


postfix.conf
            ^.*mail postfix/smtpd.* lost connection after EHLO from unknown)\[<HOST>\]\.*
but this is the section from postfix.conf  with all the regex working except for the EHLO lines 

prefregex = ^%(__prefix_line)s<mdpr-<mode>> <F-CONTENT>.+</F-CONTENT>
mdpr-normal= (?:\w+: reject:|(?:improper command pipelining|too many errors) after \S+) 
mdre-normal=^RCPT from [^[]*\[<HOST>\]%(_port)s: 55[04] 5\.7\.1\s
            ^RCPT from [^[]*\[<HOST>\]%(_port)s: 45[04] 4\.7\.\d+ (?:Service unavailable\b|Client host rejected: cannot find your (reverse )?hostname\b)             ^RCPT from [^[]*\[<HOST>\]%(_port)s: 450 4\.7\.\d+ (<[^>]*>)?: Helo command rejected: Host not found\b             ^EHLO from [^[]*\[<HOST>\]%(_port)s: 504 5\.5\.\d+ (<[^>]*>)?: Helo command rejected: need fully-qualified hostname\b 
            ^(RCPT|VRFY) from [^[]*\[<HOST>\]%(_port)s: 550 5\.1\.1\s
            ^RCPT from [^[]*\[<HOST>\]%(_port)s: 450 4\.1\.\d+ (<[^>]*>)?: Sender address rejected: Domain not found\b 
            ^from [^[]*\[<HOST>\]%(_port)s:?
            lost connection after EHLO from unknown\[<HOST>\]\.*
            (mail\-a\.webstudio[a-z]*\.com)[^[]*\[<HOST>\]
            ^.*mail postfix/smtpd.* lost connection after EHLO from unknown\[<HOST>\].* 
            lost\ connection\ after\ EHLO\ from\ unknown\[<HOST>\].*
            (\w+\ \w+\ webstudio[a-z]*\.com)[^[]*\[<HOST>\]

From the log
May  8 01:24:18 mail postfix/smtpd[17431]: lost connection after EHLO from unknown[185.50.149.25] May  8 01:24:20 mail postfix/smtpd[17440]: lost connection after EHLO from unknown[185.50.149.25] May  8 01:27:16 mail postfix/smtpd[17588]: lost connection after EHLO from unknown[185.50.149.10] May  8 01:27:19 mail postfix/smtpd[17596]: lost connection after EHLO from unknown[185.50.149.10] May  8 01:43:29 mail postfix/smtpd[18438]: lost connection after EHLO from unknown[185.50.149.10] 

75 lines removed




_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Reply via email to