On 10/16/2020 11:30 AM, Dan Egli wrote:
> On 10/16/2020 11:19 AM, James Moe via Fail2ban-users wrote:
>> On 10/16/20 10:13 AM, Dan Egli wrote:
>>
>> Ah. I guessed incorrectly.
>> Also the "datepattern" was necessary.
>>
> I can throw the datepatern in. But fail2ban-regex isn't recognizing it
> when I try.
>
> # fail2ban-regex /var/log/exim4/main.log "^.*SMTP protocol error in
> \"AUTH LOGIN\" .* H\=<HOST> .* AUTH command used when not advertised"
>
> Running tests
> =============
>
> Use failregex line : ^.*SMTP protocol error in "AUTH LOGIN" .* H\=<HOST...
> Use log file : /var/log/exim4/main.log
> Use encoding : ISO-8859-1
>
>
> Results
> =======
>
> Failregex: 0 total
>
> Ignoreregex: 0 total
>
> Date template hits:
> |- [# of hits] date format
> | [1420] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T|
> ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
> `-
>
> Lines: 1420 lines, 0 ignored, 0 matched, 1420 missed
> [processed in 0.07 sec]
>
> Missed line(s): too many to print. Use --print-all-missed to print all
> 1420 lines
>
>
>
Okay. fail2ban-regex finally recognised something. The string I
searched for was:
H=(.*) <HOST> .* AUTH command used when not advertised
I'll try plugging that into my exim.local and see how it goes
--
Dan Egli
On my Test server
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
