On Sat, 17 Oct 2020 at 02:40, Dan Egli <d...@newideatest.site> wrote: > > On 10/16/2020 11:39 AM, Dan Egli wrote: > > Okay. fail2ban-regex finally recognised something. The string I > > searched for was: > > H=(.*) <HOST> .* AUTH command used when not advertised > > > > I'll try plugging that into my exim.local and see how it goes > > > > > > Now fail2ban sees it, but it refuses to ACT on it! > > # grep 103.154.241.29 fail2ban.log -c > 113 > > Wait a minute, 113 times, and yet it has never banned them!? > # grep "Ban 103.154.241.29" fail2ban.log -c > 0 > > What on earth happened here? the exim.local filter has a maxtries of > 5!!! Not 500! > > ---- [ Cut here ] --- > [INCLUDES] > > before = exim-common.conf > > [Definition] > failregex = <HOST> locally blacklisted for a bruteforce > H=(.*) <HOST> .* AUTH command used when not advertised > datepattern = %%Y-%%m-%%d %%H:%%M:%%S > maxtries = 5 > mdre-normal = > mode = normal > ignoreregex = > --- [ Cut Here ] --- > > I did strip out comments for brevity. So, did I do something wrong or is > something funky going on here?
Have you enabled exim in your jail.local? e.g. /etc/fail2ban/jail.local: ... [exim] enabled = true ... (and then reloaded fail2ban e.g. systemctl reload-or-restart fail2ban) _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
