diff --git a/config/filter.d/exim.conf b/config/filter.d/exim.conf index 19ade1e8..f1e56a75 100644 --- a/config/filter.d/exim.conf +++ b/config/filter.d/exim.conf @@ -24,6 +24,21 @@ failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user| ^%(pid)s SMTP protocol error in "[^"]+(?:"+[^"]*(?="))*?" %(host_info)sAUTH command used when not advertised\s*$ ^%(pid)s no MAIL in SMTP connection from (?:[^\[\( ]* )?(?:\(\S*\) )?%(host_info)sD=\d\S*s(?: C=\S*)?\s*$ ^%(pid)s (?:[\w\-]+ )?SMTP connection from (?:[^\[\( ]* )?(?:\(\S*\) )?%(host_info)sclosed by DROP in ACL\s*$ + > + +mdre-aggressive = ^%(pid)s no host name found for IP address $ + ^%(pid)s no IP address found for host \S+ \(during SMTP connection from \[\]\)$ + +mdre-normal = + +# Parameter `mode` - `normal` or `aggressive`. +# Aggressive mode can be used to match flood and ddos-similar log-entries like: +# 'no host found for IP', 'no IP found for host'. +# Note this is not an authentication failures, so it may produce lots of false +# positives on misconfigured MTAs. +# Ex.: +# filter = exim[mode=aggressive] +mode = normal ignoreregex = diff --git a/fail2ban/tests/files/logs/exim b/fail2ban/tests/files/logs/exim index 97786f4e..ea3c5dca 100644 --- a/fail2ban/tests/files/logs/exim +++ b/fail2ban/tests/files/logs/exim @@ -83,3 +83,17 @@ 2017-11-28 14:14:31 SMTP protocol error in "aUtH lOgIn" H=(roxzgj) [192.0.2.5] AUTH command used when not advertised # failJSON: { "time": "2017-11-28T14:14:32", "match": true , "host": "192.0.2.6", "desc": "quoted injecting on AUTH command" } 2017-11-28 14:14:32 SMTP protocol error in "aUtH lOgIn" H=(test) [8.8.8.8]" H=(roxzgj) [192.0.2.6] AUTH command used when not advertised + +## no matches with `mode = normal`: + +# failJSON: { "match": false , "desc": "aggressive mode only" } +2017-12-03 08:32:00 no host name found for IP address 192.0.2.8 +# failJSON: { "match": false , "desc": "aggressive mode only" } +2017-12-03 08:51:35 no IP address found for host test.example.com (during SMTP connection from [192.0.2.9]) + +# filterOptions: [{"mode": "aggressive"}] + +# failJSON: { "time": "2017-12-03T08:32:00", "match": true , "host": "192.0.2.8", "desc": "no host found for IP" } +2017-12-03 08:32:00 no host name found for IP address 192.0.2.8 +# failJSON: { "time": "2017-12-03T08:51:35", "match": true , "host": "192.0.2.9", "desc": "no IP found for host" } +2017-12-03 08:51:35 no IP address found for host test.example.com (during SMTP connection from [192.0.2.9])