I have no idea why this is happening, but all of a sudden fail2ban isn't catching any offenders who try to use an AUTH command when it's not advertised. Here's an example from my logs:
2020-10-15 19:28:58.395 SMTP protocol error in "AUTH LOGIN" H=(User) [103.154.241.29] I=[209.141.58.25]:25 AUTH command used when not advertised And it's happened REPEATEDLY: grep 103.154.241.29 main.log | grep -c "AUTH LOGIN" 61 So it's happened 61 times just today, and yet fail2ban isn't blocking this idiot. The catch string is in my filter file: ^%(pid)s SMTP protocol error in "[^"]+(?:"+[^"]*(?="))*?" %(host_info)sAUTH command used when not advertised\s*$ So why is fail2ban not blocking this person/machine? -- Dan Egli On my Test server
OpenPGP_0xF8A7B3F2AAB08F9D.asc
Description: application/pgp-keys
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
