diff --git a/config/filter.d/exim-common.conf b/config/filter.d/exim-common.conf index e16debf99..4d622b7b2 100644 --- a/config/filter.d/exim-common.conf +++ b/config/filter.d/exim-common.conf @@ -38,4 +38,4 @@ pid = (?: \[\d+\]| \w+ exim\[\d+\]:)? # Daniel Black (rewrote with strong regexs) # Sergey G. Brester aka sebres (optimization, rewrite to prefregex, reviews) # Martin O'Neal (added additional regexs to detect authentication failures, protocol errors, and drops) -# Varlamov Vladimir (host line definition) +# Vladimir Varlamov (host line definition) diff --git a/config/filter.d/exim-spam.conf b/config/filter.d/exim-spam.conf index 0a283f467..7ce04acad 100644 --- a/config/filter.d/exim-spam.conf +++ b/config/filter.d/exim-spam.conf @@ -45,4 +45,4 @@ honeypot = trap@example.com # DEV Notes # ----------- -# The %(host_info) definition contains a match. No space before. See exim-common.conf +# The %(host_info) definition contains a match. No space before. See exim-common.conf diff --git a/config/filter.d/exim.conf b/config/filter.d/exim.conf index 7d4144a76..c9de8c927 100644 --- a/config/filter.d/exim.conf +++ b/config/filter.d/exim.conf @@ -26,8 +26,8 @@ failregex = ^%(pid)s%(host_info)s sender verify fail for <\S+>: (?:Unknown user| ^%(pid)s (?:[\w\-]+ )?SMTP connection from%(host_info)s closed by DROP in ACL\s*$ > -mdre-aggressive = ^%(pid)s no host name found for IP address $ - ^%(pid)s no IP address found for host \S+ \(during SMTP connection from \[\]\)$ +mdre-aggressive = ^%(pid)s no host name found for IP address $ + ^%(pid)s no IP address found for host \S+ \(during SMTP connection from%(host_info)s\)$ mdre-normal = @@ -44,7 +44,7 @@ ignoreregex = # DEV Notes # ----------- -# The %(host_info) definition contains a match. No space before. See exim-common.conf +# The %(host_info) definition contains a match. No space before. See exim-common.conf # # SMTP protocol synchronization error \([^)]*\) <- This needs to be non-greedy # to void capture beyond ")" to avoid a DoS Injection vulnerability as input= is diff --git a/fail2ban/tests/files/logs/exim b/fail2ban/tests/files/logs/exim index 94bca0852..da7e2bc66 100644 --- a/fail2ban/tests/files/logs/exim +++ b/fail2ban/tests/files/logs/exim @@ -93,12 +93,19 @@ # failJSON: { "time": "2017-11-28T14:14:32", "match": true , "host": "192.0.2.6", "desc": "quoted injecting on AUTH command" } 2017-11-28 14:14:32 SMTP protocol error in "aUtH lOgIn" H=(test) [8.8.8.8]" H=(roxzgj) [192.0.2.6] AUTH command used when not advertised +# failJSON: { "time": "2024-03-21T19:26:06", "match": true , "host": "194.169.175.1" } +2024-03-21 19:26:06 dovecot_login authenticator failed for (User) [194.169.175.1]:21298 I=[22.33.44.55]:465 Ci=30416: 535 Incorrect authentication data (set_id=uaf589@example.com) +# failJSON: { "time": "2024-03-21T09:18:51", "match": true , "host": "9.12.1.21" } +2024-03-21 09:18:51 H=m05.horp.tld [9.12.1.21]:43030 I=[194.169.175.2]:25 Ci=7326 CV=no SNI=mail.leone.tld F= rejected RCPT : relay not permitted + ## no matches with `mode = normal`: # failJSON: { "match": false , "desc": "aggressive mode only" } 2017-12-03 08:32:00 no host name found for IP address 192.0.2.8 # failJSON: { "match": false , "desc": "aggressive mode only" } 2017-12-03 08:51:35 no IP address found for host test.example.com (during SMTP connection from [192.0.2.9]) +# failJSON: { "match": false , "desc": "aggressive mode only" } +2022-04-03 21:53:53 no IP address found for host hos-t.example.tld (during SMTP connection from [63.85.123.6]:49390 I=[31.130.202.17]:25) # filterOptions: [{"mode": "aggressive"}] @@ -106,8 +113,5 @@ 2017-12-03 08:32:00 no host name found for IP address 192.0.2.8 # failJSON: { "time": "2017-12-03T08:51:35", "match": true , "host": "192.0.2.9", "desc": "no IP found for host" } 2017-12-03 08:51:35 no IP address found for host test.example.com (during SMTP connection from [192.0.2.9]) - -# failJSON: { "time": "2024-03-21T19:26:06", "match": true , "host": "194.169.175.1" } -2024-03-21 19:26:06 dovecot_login authenticator failed for (User) [194.169.175.1]:21298 I=[22.33.44.55]:465 Ci=30416: 535 Incorrect authentication data (set_id=uaf589@example.com) -# failJSON: { "time": "2024-03-21T09:18:51", "match": true , "host": "9.12.1.21" } -2024-03-21 09:18:51 H=m05.horp.tld [9.12.1.21]:43030 I=[194.169.175.2]:25 Ci=7326 CV=no SNI=mail.leone.tld F= rejected RCPT : relay not permitted +# failJSON: { "time": "2022-04-03T21:53:53", "match": true , "host": "63.85.123.6", "desc": "no IP found for host long" } +2022-04-03 21:53:53 no IP address found for host hos-t.example.tld (during SMTP connection from [63.85.123.6]:49390 I=[31.130.202.17]:25)