2014-02-26 08:16:49 +00:00
|
|
|
# Fail2Ban filter for sendmail authentication failures
|
|
|
|
#
|
|
|
|
|
|
|
|
[INCLUDES]
|
|
|
|
|
|
|
|
before = common.conf
|
|
|
|
|
|
|
|
[Definition]
|
|
|
|
|
2018-01-10 13:48:25 +00:00
|
|
|
_daemon = (?:sendmail|sm-(?:mta|acceptingconnections))
|
2020-08-27 16:07:42 +00:00
|
|
|
# "\w{14,20}" will give support for IDs from 14 up to 20 characters long
|
2019-11-08 12:15:40 +00:00
|
|
|
__prefix_line = %(known/__prefix_line)s(?:\w{14,20}: )?
|
2020-08-27 15:44:25 +00:00
|
|
|
addr = (?:IPv6:<IP6>|<IP4>)
|
2014-02-26 08:16:49 +00:00
|
|
|
|
2020-08-27 16:07:42 +00:00
|
|
|
prefregex = ^<F-MLFID>%(__prefix_line)s</F-MLFID><F-CONTENT>.+</F-CONTENT>$
|
|
|
|
|
|
|
|
failregex = ^(\S+ )?\[%(addr)s\]( \(may be forged\))?: possible SMTP attack: command=AUTH, count=\d+$
|
2022-08-01 07:20:28 +00:00
|
|
|
^AUTH failure \([^\)]+\):(?: [^:]+:)? (?:authentication failure|user not found): [^,]*, (?:user=<F-USER>(?:\S+|.*?)</F-USER>, )?relay=(?:\S+ )?\[%(addr)s\](?: \(may be forged\))?$
|
2014-02-26 08:16:49 +00:00
|
|
|
ignoreregex =
|
|
|
|
|
2016-10-03 22:26:11 +00:00
|
|
|
journalmatch = _SYSTEMD_UNIT=sendmail.service
|
|
|
|
|
2014-02-26 08:16:49 +00:00
|
|
|
# DEV Notes:
|
|
|
|
#
|
|
|
|
# Author: Daniel Black
|