2006-12-23 09:49:19 +00:00
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
2013-06-15 14:25:24 +00:00
# Daniel Black (rewrote with strong regexs)
2006-12-23 09:49:19 +00:00
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
2009-02-08 17:31:24 +00:00
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
2006-12-23 09:49:19 +00:00
# Values: TEXT
#
2013-06-15 02:34:16 +00:00
# From exim source code: ./src/receive.c:add_host_info_for_log
2013-06-15 14:19:37 +00:00
host_info = H=([\w.-]+ )?(\(\S+\) )?\[<HOST>\](:\d+)? (?:I=\[\S+\]:\d+ )?(?:U=\S+ )?(P=e?smtp )?
pid = ( \[\d+\])?
2013-06-15 02:34:16 +00:00
2013-07-01 11:50:35 +00:00
failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$
2013-06-15 14:19:37 +00:00
^%(pid)s \S+ F=(?:<>|\S+@\S+) %(host_info)s(?:temporarily )?rejected by local_scan\(\): .{0,256}$
2013-07-01 11:53:05 +00:00
^%(pid)s login authenticator failed for (?:\S+ )?\(\S+\) \[<HOST>\]: 535 Incorrect authentication data(?: \(set_id=.*\)|: \d+ Time\(s\))?\s*$
^%(pid)s %(host_info)sF=(?:<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (?:rejected found in dnsbl \S+|relay not permitted|Sender verify failed|Unknown user)\s*$
2013-06-15 14:19:37 +00:00
^%(pid)s \S+ %(host_info)sF=(?:<>|[^@]+@\S+) rejected after DATA: This message contains a virus \(\S+\)\.\s*$
2013-07-01 11:53:05 +00:00
^%(pid)s SMTP protocol synchronization error \(.*\): rejected (?:connection from|"\S+") %(host_info)s(?:next )?input=".*"\s*$
^%(pid)s SMTP call from \S+ \[<HOST>\](:\d+)? (?:I=\[\S+\]:\d+ )?dropped: too many nonmail commands \(last was "\S+"\)\s*$
2006-12-23 09:49:19 +00:00
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
