From 1ec9237e53a71fb99db605b475a5bf71160ca9b0 Mon Sep 17 00:00:00 2001 From: sebres Date: Mon, 25 Mar 2024 15:47:43 +0100 Subject: [PATCH] bypass additional pid in prefix (may be logged by syslog-ng, gh-3060); matches protocol error with authentication mechanism not supported --- ChangeLog | 2 +- config/filter.d/exim-common.conf | 2 +- config/filter.d/exim.conf | 2 +- fail2ban/tests/files/logs/exim | 5 +++++ 4 files changed, 8 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9f90ab6d..78314cbd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -30,7 +30,7 @@ ver. 1.0.3-dev-1 (20??/??/??) - development nightly edition * improve `ignoreself` by considering all local addresses from network interfaces additionally to IPs from hostnames (gh-3132) * `filter.d/exim.conf`: - messages are prefiltered by `prefregex` now - - filter can bypass additional timestamp that may be logged via systemd-journal (gh-3060) + - filter can bypass additional timestamp or pid that may be logged via systemd-journal or syslog-ng (gh-3060) - rewrite host line regex for all varied exim's log_selector states (gh-3263) - fixed "dropped: too many ..." regex, also matching unrecognized commands now (gh-3502) * `action.d/mikrotik.conf` - new action for mikrotik routerOS, adds and removes entries from address lists on the router (gh-2860) diff --git a/config/filter.d/exim-common.conf b/config/filter.d/exim-common.conf index 8ec6cf4c..78c093bb 100644 --- a/config/filter.d/exim-common.conf +++ b/config/filter.d/exim-common.conf @@ -11,7 +11,7 @@ after = exim-common.local _fields_grp = (?: (?!H=)[A-Za-z]{1,4}(?:=\S+)?)* host_info = %(_fields_grp)s (?:H=)?(?:[\w.-]+)? ?(?:\(\S+\))? ?\[\](?::\d+)?%(_fields_grp)s -pid = (?:\s?\[\d+\]|\s?[\w\.-]+ exim\[\d+\]:)? +pid = (?:\s?\[\d+\]|\s?[\w\.-]+ exim\[\d+\]:){0,2} logtype = file _add_pref = /_add_pref> diff --git a/config/filter.d/exim.conf b/config/filter.d/exim.conf index 79a64158..cca32de3 100644 --- a/config/filter.d/exim.conf +++ b/config/filter.d/exim.conf @@ -20,7 +20,7 @@ failregex = ^%(host_info)s sender verify fail for <\S+>: (?:Unknown user|Unroute ^%(host_info)s rejected RCPT [^@]+@\S+: (?:relay not permitted|Sender verify failed|Unknown user|Unrouteable address)\s*$ ^\s?SMTP protocol synchronization error \([^)]*\): rejected (?:connection from|"\S+")%(host_info)s (?:next )?input=".*"\s*$ ^\s?SMTP call from%(host_info)s dropped: too many (?:(?:nonmail|unrecognized) commands|syntax or protocol errors) - ^\s?SMTP protocol error in "[^"]+(?:"+[^"]*(?="))*?"%(host_info)s AUTH command used when not advertised\s*$ + ^\s?SMTP protocol error in "[^"]+(?:"+[^"]*(?="))*?"%(host_info)s [A-Z]+ (?:command used when not advertised|authentication mechanism not supported)\s*$ ^\s?no MAIL in SMTP connection from%(host_info)s ^\s?(?:[\w\-]+ )?SMTP connection from%(host_info)s closed by DROP in ACL\s*$ > diff --git a/fail2ban/tests/files/logs/exim b/fail2ban/tests/files/logs/exim index f5c600b1..71fc1e26 100644 --- a/fail2ban/tests/files/logs/exim +++ b/fail2ban/tests/files/logs/exim @@ -72,6 +72,11 @@ # failJSON: { "time": "2016-03-21T04:33:14", "match": true , "host": "192.0.2.33", "desc": "short form without optional session-id" } 2016-03-21 04:33:14 SMTP connection from (some.domain) [192.0.2.33] closed by DROP in ACL +# failJSON: { "time": "2016-04-01T11:08:00", "match": true , "host": "192.0.2.29", "desc": "authentication mechanism not supported, gh-3060" } +2016-04-01 11:08:00 info exim[8003]: [8003] SMTP protocol error in "AUTH LOGIN" H=(User) [192.0.2.29]:4816 I=[192.0.2.1]:25 Ci=8003 LOGIN authentication mechanism not supported +# failJSON: { "time": "2016-04-01T11:08:00", "match": true , "host": "192.0.2.29", "desc": "additional pid logged with syslog-ng, gh-3060" } +2016-04-01 11:08:00 info exim[8001]: [8001] no MAIL in SMTP connection from (User) [192.0.2.29]:20042 I=[192.0.2.1]:25 Ci=8001 D=0.349s C=EHLO,AUTH,QUIT + # failJSON: { "time": "2016-04-01T11:08:39", "match": true , "host": "192.0.2.1" } 2016-04-01 11:08:39 [18643] no MAIL in SMTP connection from host.example.com (SERVER) [192.0.2.1]:1418 I=[172.89.0.6]:25 D=34s C=EHLO,AUTH # failJSON: { "time": "2016-04-01T11:08:40", "match": true , "host": "192.0.2.2" }