On 10/16/2020 10:42 AM, James Moe via Fail2ban-users wrote: > On 10/15/20 6:36 PM, Dan Egli wrote: > >> 2020-10-15 19:28:58.395 SMTP protocol error in "AUTH LOGIN" H=(User) >> [103.154.241.29] I=[209.141.58.25]:25 AUTH command used when not advertised >> >> And it's happened REPEATEDLY: >> > Try this (lines are wrapped :-( ) fail2ban v0.10.4: > > failregex = ^.*SMTP protocol error in \"AUTH LOGIN\" .* I\=\[<HOST>\]\:25 AUTH > command used when not advertised > datepattern = %%Y-%%m-%%d %%H:%%M:%%S > > Using the log entry above: > Results > ======= > Failregex: 1 total > |- #) [# of hits] regular expression > | 1) [1] ^.*SMTP protocol error in \"AUTH LOGIN\" .* I\=\[<HOST>\]\:25 AUTH > command used when not advertised > `- > Ignoreregex: 0 total > Date template hits: > |- [# of hits] date format > | [1] Year-Month-Day 24hour:Minute:Second > `- > > Lines: 1 lines, 0 ignored, 1 matched, 0 missed > > I'll try that, but replacing with H= instead. Otherwise it's going to really confuse things. The I= address is MY ip. :)
-- Dan Egli On my Test server
OpenPGP_0xF8A7B3F2AAB08F9D.asc
Description: application/pgp-keys
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
