fail2ban/config/filter.d/sendmail-auth.conf

26 lines
776 B
Plaintext
Raw Normal View History

# Fail2Ban filter for sendmail authentication failures
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = (?:sendmail|sm-(?:mta|acceptingconnections))
2020-11-26 12:47:25 +00:00
# "\w{14,20}" will give support for IDs from 14 up to 20 characters long
2020-01-12 22:21:29 +00:00
__prefix_line = %(known/__prefix_line)s(?:\w{14,20}: )?
2020-11-26 12:47:25 +00:00
addr = (?:IPv6:<IP6>|<IP4>)
2020-11-26 12:47:25 +00:00
prefregex = ^<F-MLFID>%(__prefix_line)s</F-MLFID><F-CONTENT>.+</F-CONTENT>$
2020-11-26 12:47:25 +00:00
failregex = ^(\S+ )?\[%(addr)s\]( \(may be forged\))?: possible SMTP attack: command=AUTH, count=\d+$
^AUTH failure \(LOGIN\):(?: [^:]+:)? authentication failure: checkpass failed, user=<F-USER>(?:\S+|.*?)</F-USER>, relay=(?:\S+ )?\[%(addr)s\](?: \(may be forged\))?$
ignoreregex =
2016-10-03 22:26:11 +00:00
journalmatch = _SYSTEMD_UNIT=sendmail.service
# DEV Notes:
#
# Author: Daniel Black