fail2ban/config/filter.d/sendmail-auth.conf

# Fail2Ban filter for sendmail authentication failures
#

[INCLUDES]

before = common.conf

[Definition]

_daemon = (?:sendmail|sm-(?:mta|acceptingconnections))
# "\w{14,20}" will give support for IDs from 14 up to 20 characters long
__prefix_line = %(known/__prefix_line)s(?:\w{14,20}: )?
addr = (?:IPv6:<IP6>|<IP4>)

prefregex = ^<F-MLFID>%(__prefix_line)s</F-MLFID><F-CONTENT>.+</F-CONTENT>$

failregex = ^(\S+ )?\[%(addr)s\]( \(may be forged\))?: possible SMTP attack: command=AUTH, count=\d+$
            ^AUTH failure \(LOGIN\):(?: [^:]+:)? authentication failure: checkpass failed, user=<F-USER>(?:\S+|.*?)</F-USER>, relay=(?:\S+ )?\[%(addr)s\](?: \(may be forged\))?$
ignoreregex =

journalmatch = _SYSTEMD_UNIT=sendmail.service

# DEV Notes:
#
# Author: Daniel Black
ENH: add filter for sendmail-{auth,spam}. Closes gh-20 2014-02-26 08:16:49 +00:00			`# Fail2Ban filter for sendmail authentication failures`
			`#`

			`[INCLUDES]`

			`before = common.conf`

			`[Definition]`

filter.d/sendmail-auth.conf - extended daemon for Fedora 24/RHEL - the daemon name is "sendmail" (gh-1632) 2018-01-10 13:48:25 +00:00			`_daemon = (?:sendmail\|sm-(?:mta\|acceptingconnections))`
amend to 3f04cba9f92a1827d0cb3dcb51e57d9f60900b4a: sendmail-auth has 2 failregex now, so rewritten with prefregex 2020-08-27 16:07:42 +00:00			`# "\w{14,20}" will give support for IDs from 14 up to 20 characters long`
filter.d/sendmail-*.conf: both filters have same `__prefix_line` now (and same RE for ID, 14-20 chars long, optional) + adjusted test cases (gh-2563) 2019-11-08 12:15:40 +00:00			`__prefix_line = %(known/__prefix_line)s(?:\w{14,20}: )?`
filter `sendmail-auth` extended to follow new authentication failure message introduced in sendmail 8.16.1, AUTH_FAIL_LOG_USER (gh-2757) 2020-08-27 15:44:25 +00:00			`addr = (?:IPv6:<IP6>\|<IP4>)`
ENH: add filter for sendmail-{auth,spam}. Closes gh-20 2014-02-26 08:16:49 +00:00
amend to 3f04cba9f92a1827d0cb3dcb51e57d9f60900b4a: sendmail-auth has 2 failregex now, so rewritten with prefregex 2020-08-27 16:07:42 +00:00			`prefregex = ^<F-MLFID>%(__prefix_line)s</F-MLFID><F-CONTENT>.+</F-CONTENT>$`

			`failregex = ^(\S+ )?\[%(addr)s\]( \(may be forged\))?: possible SMTP attack: command=AUTH, count=\d+$`
			`^AUTH failure \(LOGIN\):(?: [^:]+:)? authentication failure: checkpass failed, user=<F-USER>(?:\S+\|.*?)</F-USER>, relay=(?:\S+ )?\[%(addr)s\](?: \(may be forged\))?$`
ENH: add filter for sendmail-{auth,spam}. Closes gh-20 2014-02-26 08:16:49 +00:00			`ignoreregex =`

Add sendmail journalmatch options 2016-10-03 22:26:11 +00:00			`journalmatch = _SYSTEMD_UNIT=sendmail.service`

ENH: add filter for sendmail-{auth,spam}. Closes gh-20 2014-02-26 08:16:49 +00:00			`# DEV Notes:`
			`#`
			`# Author: Daniel Black`