On Fri, 16 Oct 2020 at 02:43, Dan Egli <d...@newideatest.site> wrote: > > I have no idea why this is happening, but all of a sudden fail2ban isn't > catching any offenders who try to use an AUTH command when it's not > advertised. Here's an example from my logs: > > 2020-10-15 19:28:58.395 SMTP protocol error in "AUTH LOGIN" H=(User) > [103.154.241.29] I=[209.141.58.25]:25 AUTH command used when not advertised > > And it's happened REPEATEDLY: > > > grep 103.154.241.29 main.log | grep -c "AUTH LOGIN" > 61 > > So it's happened 61 times just today, and yet fail2ban isn't blocking this > idiot. The catch string is in my filter file: > > ^%(pid)s SMTP protocol error in "[^"]+(?:"+[^"]*(?="))*?" %(host_info)sAUTH > command used when not advertised\s*$ > > So why is fail2ban not blocking this person/machine?
I can't find a way to debug this (fail2ban-regex v0.10.2 seems broken when specifying the regex on the command line), but you could try removing '^ %(pid)s ' from the front of the match string (best to recreate as exim.local), as I don't see any PID in the log string that you posted, so presumably your logger is not recording it. _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
