2014-02-26 08:16:49 +00:00
|
|
|
# Fail2Ban filter for sendmail authentication failures
|
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
[INCLUDES]
|
|
|
|
|
|
|
|
|
|
before = common.conf
|
|
|
|
|
|
|
|
|
|
[Definition]
|
|
|
|
|
|
2018-01-10 13:48:25 +00:00
|
|
|
_daemon = (?:sendmail|sm-(?:mta|acceptingconnections))
|
2019-11-08 12:15:40 +00:00
|
|
|
__prefix_line = %(known/__prefix_line)s(?:\w{14,20}: )?
|
2014-02-26 08:16:49 +00:00
|
|
|
|
2019-11-06 14:28:17 +00:00
|
|
|
# "w{14,20}" will give support for IDs from 14 up to 20 characters long
|
2019-11-08 12:15:40 +00:00
|
|
|
failregex = ^%(__prefix_line)s(\S+ )?\[(?:IPv6:<IP6>|<IP4>)\]( \(may be forged\))?: possible SMTP attack: command=AUTH, count=\d+$
|
2014-02-26 08:16:49 +00:00
|
|
|
|
|
|
|
|
ignoreregex =
|
|
|
|
|
|
2016-10-03 22:26:11 +00:00
|
|
|
journalmatch = _SYSTEMD_UNIT=sendmail.service
|
|
|
|
|
|
2014-02-26 08:16:49 +00:00
|
|
|
# DEV Notes:
|
|
|
|
|
#
|
|
|
|
|
# Author: Daniel Black
|
