I'll try those, thank you!
On 9/5/2020 8:41 AM, Steve Murphy wrote:
How about:
failregex = H=<HOST> .* rejected connection
or
failregex = H=<HOST> .* locally blacklisted for a bruteforce auth
?
murf
On Sat, Sep 5, 2020 at 2:54 AM Dan via Fail2ban-users
<fail2ban-users@lists.sourceforge.net
<mailto:fail2ban-users@lists.sourceforge.net>> wrote:
I REALLY suck at regular expressions, so please bear with me if
this is
an easy one for you. My MTA is setup to greylist sites that try brute
force AUTH attacks. That's great, but it also floods my log files
when
they keep trying and the MTA keeps rejecting. I copied an example
of the
log file entry below. Can someone come up with a filter that I can
put
in fail2ban that would block the IP for the default time period?
Thanks!
--- Dan
2020-09-05 00:19:56.010 H=[<HIS IP>] I=[<MY IP>]:587 rejected
connection
in "connect" ACL: 45.142.120.74 locally blacklisted for a bruteforce
auth (username+password) cracking attempt
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
<mailto:Fail2ban-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
--
Steve Murphy
ParseTree Corporation
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
