Re: [Fail2ban-users] need help with filterd/postfix.conf

Thu, 14 May 2020 11:59:27 -0700 

On 2020-05-13 4:44 PM, Doug Preston via Fail2ban-users wrote:

>>> I don't get any hits even though there were 163 lines with this in it.
>>>
>>    Provide samples of the lines that are not matching.
>>    And your postfix.conf filter.
> postfix.conf
>
  Using the info you provided, the result is below. Attached is the modified
conf file that succeeded.
  The "prefregex" line failed always.

Running tests
=============

Use   failregex file : /t/tmp3/f2b-test.conf
Use         log file : /t/tmp3/f2b-test.log
Use         encoding : UTF-8


Results
=======

Failregex: 5 total
|-  #) [# of hits] regular expression
|   1) [5] ^.*mail postfix/smtpd.* lost connection after EHLO from
unknown\[<HOST>\].*
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [5] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-

Lines: 5 lines, 0 ignored, 5 matched, 0 missed
[processed in 0.01 sec]


-- 
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.

[Definition]

# but this is the section from postfix.conf  with all the regex working
# except for the EHLO lines

# prefregex = ^%(__prefix_line)s<mdpr-<mode>> <F-CONTENT>.+</F-CONTENT>

failregex = ^.*mail postfix/smtpd.* lost connection after EHLO from 
unknown\[<HOST>\].*

mdpr-normal= (?:\w+: reject:|(?:improper command pipelining|too many errors) 
after \S+)
mdre-normal=^RCPT from [^[]*\[<HOST>\]%(_port)s: 55[04] 5\.7\.1\s
 ^RCPT from [^[]*\[<HOST>\]%(_port)s: 45[04] 4\.7\.\d+ (?:Service 
unavailable\b|Client host rejected: cannot find your (reverse)?hostname\b)
 ^RCPT from [^[]*\[<HOST>\]%(_port)s: 450 4\.7\.\d+ (<[^>]*>)?: Helo command 
rejected: Host not found\b
 ^EHLO from [^[]*\[<HOST>\]%(_port)s: 504 5\.5\.\d+ (<[^>]*>)?: Helo command 
rejected: need fully-qualified hostname\b
 ^(RCPT|VRFY) from [^[]*\[<HOST>\]%(_port)s: 550 5\.1\.1\s
 ^RCPT from [^[]*\[<HOST>\]%(_port)s: 450 4\.1\.\d+ (<[^>]*>)?: Sender address 
rejected: Domain not found\b
 ^from [^[]*\[<HOST>\]%(_port)s:?lost connection after EHLO from 
unknown\[<HOST>\]\.*(mail\-a\.webstudio[a-z]*\.com)[^[]*\[<HOST>\]
 ^.*mail postfix/smtpd.* lost connection after EHLO from 
unknown\[<HOST>\].*lost\ connection\ after\ EHLO\ from\ 
unknown\[<HOST>\].*(\w+\ \w+\ webstudio[a-z]*\.com)[^[]*\[<HOST>\]



_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users























					Reply via email to