Hi.
What about Your 'Findtime' settings in Your jail.conf or jail.local
/Finn
Den 17-10-2020 kl. 08:14 skrev Dominic Raferd:
On Sat, 17 Oct 2020 at 02:40, Dan Egli <d...@newideatest.site> wrote:
On 10/16/2020 11:39 AM, Dan Egli wrote:
Okay. fail2ban-regex finally recognised something. The string I
searched for was:
H=(.*) <HOST> .* AUTH command used when not advertised
I'll try plugging that into my exim.local and see how it goes
Now fail2ban sees it, but it refuses to ACT on it!
# grep 103.154.241.29 fail2ban.log -c
113
Wait a minute, 113 times, and yet it has never banned them!?
# grep "Ban 103.154.241.29" fail2ban.log -c
0
What on earth happened here? the exim.local filter has a maxtries of
5!!! Not 500!
---- [ Cut here ] ---
[INCLUDES]
before = exim-common.conf
[Definition]
failregex = <HOST> locally blacklisted for a bruteforce
H=(.*) <HOST> .* AUTH command used when not advertised
datepattern = %%Y-%%m-%%d %%H:%%M:%%S
maxtries = 5
mdre-normal =
mode = normal
ignoreregex =
--- [ Cut Here ] ---
I did strip out comments for brevity. So, did I do something wrong or is
something funky going on here?
Have you enabled exim in your jail.local? e.g.
/etc/fail2ban/jail.local:
...
[exim]
enabled = true
...
(and then reloaded fail2ban e.g. systemctl reload-or-restart fail2ban)
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
