Exim failregex: Include lower/mixed case AUTH

When reporting the error `AUTH command used when not advertised`, Exim starts with `SMTP protocol error in "........."`. Here, Exim logs the SMTP command as it was provided by the connecting client. https://github.com/Exim/exim/blob/exim-4_89+fixes/src/src/smtp_in.c#L2850 According to RFC 5321 (SMTP) "[..] a command verb [..] MAY be encoded in upper case, lower case, or any mixture of upper and lower case with no impact on its meaning." https://tools.ietf.org/html/rfc5321#section-2.4 Lower case `auth login` brute-force attempts were seen in the wild and were not caught by the current failregex. This commit makes the failregex case-insensitive for the `AUTH` command, so that lower case (`auth`) or mixed case (`aUtH`) now also match. The failregex was already case-insensitive for the command arguments (e.g. `AUTH login` already matched).
7 years ago · aa158ac05f
2 changed files with 6 additions and 1 deletions
--- a/config/filter.d/exim.conf
+++ b/config/filter.d/exim.conf
@ -18,7 +18,7 @@ failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|
            ^%(pid)s %(host_info)srejected RCPT [^@]+@\S+: (?:relay not permitted|Sender verify failed|Unknown user|Unrouteable address)\s*$
            ^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (?:connection from|"\S+") %(host_info)s(?:next )?input=".*"\s*$
            ^%(pid)s SMTP call from \S+ %(host_info)sdropped: too many nonmail commands \(last was "\S+"\)\s*$
-            ^%(pid)s SMTP protocol error in "AUTH \S*(?: \S*)?" %(host_info)sAUTH command used when not advertised\s*$
+            ^%(pid)s SMTP protocol error in "[Aa][Uu][Tt][Hh] \S*(?: \S*)?" %(host_info)sAUTH command used when not advertised\s*$
            ^%(pid)s no MAIL in SMTP connection from (?:[^\[\( ]* )?(?:\(\S*\) )?%(host_info)sD=\d\S*s(?: C=\S*)?\s*$
            ^%(pid)s (?:[\w\-]+ )?SMTP connection from (?:[^\[\( ]* )?(?:\(\S*\) )?%(host_info)sclosed by DROP in ACL\s*$

--- a/fail2ban/tests/files/logs/exim
+++ b/fail2ban/tests/files/logs/exim
@ -76,3 +76,8 @@
 2017-04-23 22:45:59 fixed_login authenticator failed for bad.host.example.com [192.0.2.2]:54412 I=[172.89.0.6]:587: 535 Incorrect authentication data (set_id=user@example.com)
 # failJSON: { "time": "2017-05-01T07:42:42", "match": true , "host": "192.0.2.3", "desc": "rejected RCPT - Unrouteable address" }
 2017-05-01 07:42:42 H=some.rev.dns.if.found (the.connector.reports.this.name) [192.0.2.3] F=<some.name@some.domain> rejected RCPT <some.invalid.name@a.domain>: Unrouteable address
+
+# failJSON: { "time": "2017-11-28T14:14:30", "match": true , "host": "192.0.2.4", "desc": "lower case AUTH command" }
+2017-11-28 14:14:30 SMTP protocol error in "auth login" H=(roxzgj) [192.0.2.4] AUTH command used when not advertised
+# failJSON: { "time": "2017-11-28T14:14:31", "match": true , "host": "192.0.2.5", "desc": "mixed case AUTH command" }
+2017-11-28 14:14:31 SMTP protocol error in "aUtH lOgIn" H=(roxzgj) [192.0.2.5] AUTH command used when not advertised