Merge branch 'patch-2' (gh-1371)

ChangeLog

@@ -15,7 +15,8 @@ ver. 0.9.5 (2015/XX/XXX) - wanna-be-released
 
 - Enhancements:
    * journald journalmatch for pure-ftpd (gh-1362)
-   * Add additional regex filter for dovecot ldap authentication failures
+   * Add additional regex filter for dovecot ldap authentication failures (gh-1370)
+   * added additional regex filters for exim (gh-1371)
 
 
 ver. 0.9.4 (2016/03/08) - for-you-ladies

config/filter.d/exim.conf

@@ -14,10 +14,13 @@ before = exim-common.conf
 [Definition]
 
 failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$
-             ^%(pid)s \w+ authenticator failed for (\S+ )?\(\S+\) \[<HOST>\](:\d+)?( I=\[\S+\](:\d+)?)?: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$
-             ^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (relay not permitted|Sender verify failed|Unknown user)\s*$
-             ^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (connection from|"\S+") %(host_info)s(next )?input=".*"\s*$
-             ^%(pid)s SMTP call from \S+ \[<HOST>\](:\d+)? (I=\[\S+\](:\d+)? )?dropped: too many nonmail commands \(last was "\S+"\)\s*$
+            ^%(pid)s \w+ authenticator failed for (\S+ )?\(\S+\) \[<HOST>\](:\d+)?( I=\[\S+\](:\d+)?)?: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$
+            ^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (relay not permitted|Sender verify failed|Unknown user)\s*$
+            ^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (connection from|"\S+") %(host_info)s(next )?input=".*"\s*$
+            ^%(pid)s SMTP call from \S+ \[<HOST>\](:\d+)? (I=\[\S+\](:\d+)? )?dropped: too many nonmail commands \(last was "\S+"\)\s*$
+            ^%(pid)s SMTP protocol error in "AUTH LOGIN(| \S*)" H=\(\S*\) \[<HOST>\]\:\d+ I=\[\S*\]\:\d+ AUTH command used when not advertised\s*$
+            ^%(pid)s no MAIL in SMTP connection from (|\S* )\[<HOST>\]\:\d+ I=\[\S*\]\:\d+ D=\d+s(| C=\S*)\s*$
+            ^%(pid)s \S+ SMTP connection from (|\S* )(|\(\S*\))\[<HOST>\]\:\d+ I=\[\S*\]\:\d+ closed by DROP in ACL\s*$
 
 ignoreregex = 
 
@@ -30,3 +33,4 @@ ignoreregex =
 #
 # Author: Cyril Jaquier
 #         Daniel Black (rewrote with strong regexs)
+#         Martin O'Neal (added additional regexs to detect authentication failures, protocol errors, and drops)

fail2ban/tests/files/logs/exim

@@ -43,3 +43,16 @@
 
 # failJSON: { "time": "2014-12-02T03:00:23", "match": true , "host": "193.254.202.35" }
 2014-12-02 03:00:23 auth_plain authenticator failed for (rom182) [193.254.202.35]:41556 I=[10.0.0.1]:25: 535 Incorrect authentication data (set_id=webmaster)
+
+# failJSON: { "time": "2016-03-18T00:34:06", "match": true , "host": "45.32.34.167" }
+2016-03-18 00:34:06 [7513] SMTP protocol error in "AUTH LOGIN" H=(ylmf-pc) [45.32.34.167]:60723 I=[172.89.0.6]:587 AUTH command used when not advertised
+# failJSON: { "time": "2016-03-19T18:40:44", "match": true , "host": "92.45.204.170" }
+2016-03-19 18:40:44 [26221] SMTP protocol error in "AUTH LOGIN aW5mb0BtYW5iYXQub3Jn" H=([127.0.0.1]) [92.45.204.170]:14243 I=[172.89.0.6]:587 AUTH command used when not advertised
+# failJSON: { "time": "2016-03-21T06:38:05", "match": true , "host": "49.212.207.15" }
+2016-03-21 06:38:05 [5718] no MAIL in SMTP connection from www3005.sakura.ne.jp [49.212.207.15]:28890 I=[172.89.0.6]:25 D=21s C=EHLO,STARTTLS
+# failJSON: { "time": "2016-03-21T06:57:36", "match": true , "host": "122.165.71.116" }
+2016-03-21 06:57:36 [5908] no MAIL in SMTP connection from [122.165.71.116]:2056 I=[172.89.0.6]:25 D=10s
+# failJSON: { "time": "2016-03-21T04:07:49", "match": true , "host": "174.137.147.204" }
+2016-03-21 04:07:49 [25874] 1ahr79-0006jK-G9 SMTP connection from (voyeur.webair.com) [174.137.147.204]:44884 I=[172.89.0.6]:25 closed by DROP in ACL
+# failJSON: { "time": "2016-03-21T04:33:13", "match": true , "host": "206.214.71.53" }
+2016-03-21 04:33:13 [26074] 1ahrVl-0006mY-79 SMTP connection from riveruse.com [206.214.71.53]:39865 I=[172.89.0.6]:25 closed by DROP in ACL