diff --git a/config/filter.d/exim-common.conf b/config/filter.d/exim-common.conf index e16debf9..0f8c91ff 100644 --- a/config/filter.d/exim-common.conf +++ b/config/filter.d/exim-common.conf @@ -11,7 +11,7 @@ after = exim-common.local _fields_grp = (?: (?!H=)[A-Za-z]{1,4}(?:=\S+)?)* host_info = %(_fields_grp)s (?:H=)?(?:[\w.-]+)? ?(?:\(\S+\))? ?\[\](?::\d+)?%(_fields_grp)s -pid = (?: \[\d+\]| \w+ exim\[\d+\]:)? +pid = (?: \[\d+\]| [\w\.-]+ exim\[\d+\]:)? # DEV Notes @@ -38,4 +38,4 @@ pid = (?: \[\d+\]| \w+ exim\[\d+\]:)? # Daniel Black (rewrote with strong regexs) # Sergey G. Brester aka sebres (optimization, rewrite to prefregex, reviews) # Martin O'Neal (added additional regexs to detect authentication failures, protocol errors, and drops) -# Varlamov Vladimir (host line definition) +# Vladimir Varlamov (host line definition) diff --git a/config/filter.d/exim-spam.conf b/config/filter.d/exim-spam.conf index 0a283f46..7ce04aca 100644 --- a/config/filter.d/exim-spam.conf +++ b/config/filter.d/exim-spam.conf @@ -45,4 +45,4 @@ honeypot = trap@example.com # DEV Notes # ----------- -# The %(host_info) definition contains a match. No space before. See exim-common.conf +# The %(host_info) definition contains a match. No space before. See exim-common.conf diff --git a/config/filter.d/exim.conf b/config/filter.d/exim.conf index 7d4144a7..c9de8c92 100644 --- a/config/filter.d/exim.conf +++ b/config/filter.d/exim.conf @@ -26,8 +26,8 @@ failregex = ^%(pid)s%(host_info)s sender verify fail for <\S+>: (?:Unknown user| ^%(pid)s (?:[\w\-]+ )?SMTP connection from%(host_info)s closed by DROP in ACL\s*$ > -mdre-aggressive = ^%(pid)s no host name found for IP address $ - ^%(pid)s no IP address found for host \S+ \(during SMTP connection from \[\]\)$ +mdre-aggressive = ^%(pid)s no host name found for IP address $ + ^%(pid)s no IP address found for host \S+ \(during SMTP connection from%(host_info)s\)$ mdre-normal = @@ -44,7 +44,7 @@ ignoreregex = # DEV Notes # ----------- -# The %(host_info) definition contains a match. No space before. See exim-common.conf +# The %(host_info) definition contains a match. No space before. See exim-common.conf # # SMTP protocol synchronization error \([^)]*\) <- This needs to be non-greedy # to void capture beyond ")" to avoid a DoS Injection vulnerability as input= is diff --git a/fail2ban/tests/files/logs/exim b/fail2ban/tests/files/logs/exim index 94bca085..c66a0f98 100644 --- a/fail2ban/tests/files/logs/exim +++ b/fail2ban/tests/files/logs/exim @@ -47,8 +47,8 @@ # failJSON: { "time": "2014-01-12T02:07:48", "match": true , "host": "85.214.85.40" } 2014-01-12 02:07:48 dovecot_login authenticator failed for h1832461.stratoserver.net (User) [85.214.85.40]: 535 Incorrect authentication data (set_id=scanner) -# failJSON: { "time": "2019-10-22T03:39:17", "match": true , "host": "192.0.2.37", "desc": "pid-prefix in form of 'mx1 exim[...]:', gh-2553" } -2019-10-22 03:39:17 mx1 exim[29786]: dovecot_login authenticator failed for (User) [192.0.2.37]: 535 Incorrect authentication data (set_id=test@domain.com) +# failJSON: { "time": "2019-10-22T03:39:17", "match": true , "host": "192.0.2.37", "desc": "pid-prefix in form of 'hostname exim[...]:', gh-2553" } +2019-10-22 03:39:17 mx1.fqdn.local exim[29786]: dovecot_login authenticator failed for (User) [192.0.2.37]: 535 Incorrect authentication data (set_id=test@domain.com) # failJSON: { "time": "2014-12-02T03:00:23", "match": true , "host": "193.254.202.35" } 2014-12-02 03:00:23 auth_plain authenticator failed for (rom182) [193.254.202.35]:41556 I=[10.0.0.1]:25: 535 Incorrect authentication data (set_id=webmaster) @@ -93,12 +93,19 @@ # failJSON: { "time": "2017-11-28T14:14:32", "match": true , "host": "192.0.2.6", "desc": "quoted injecting on AUTH command" } 2017-11-28 14:14:32 SMTP protocol error in "aUtH lOgIn" H=(test) [8.8.8.8]" H=(roxzgj) [192.0.2.6] AUTH command used when not advertised +# failJSON: { "time": "2024-03-21T19:26:06", "match": true , "host": "194.169.175.1" } +2024-03-21 19:26:06 dovecot_login authenticator failed for (User) [194.169.175.1]:21298 I=[22.33.44.55]:465 Ci=30416: 535 Incorrect authentication data (set_id=uaf589@example.com) +# failJSON: { "time": "2024-03-21T09:18:51", "match": true , "host": "9.12.1.21" } +2024-03-21 09:18:51 H=m05.horp.tld [9.12.1.21]:43030 I=[194.169.175.2]:25 Ci=7326 CV=no SNI=mail.leone.tld F= rejected RCPT : relay not permitted + ## no matches with `mode = normal`: # failJSON: { "match": false , "desc": "aggressive mode only" } 2017-12-03 08:32:00 no host name found for IP address 192.0.2.8 # failJSON: { "match": false , "desc": "aggressive mode only" } 2017-12-03 08:51:35 no IP address found for host test.example.com (during SMTP connection from [192.0.2.9]) +# failJSON: { "match": false , "desc": "aggressive mode only" } +2022-04-03 21:53:53 no IP address found for host hos-t.example.tld (during SMTP connection from [63.85.123.6]:49390 I=[31.130.202.17]:25) # filterOptions: [{"mode": "aggressive"}] @@ -106,8 +113,5 @@ 2017-12-03 08:32:00 no host name found for IP address 192.0.2.8 # failJSON: { "time": "2017-12-03T08:51:35", "match": true , "host": "192.0.2.9", "desc": "no IP found for host" } 2017-12-03 08:51:35 no IP address found for host test.example.com (during SMTP connection from [192.0.2.9]) - -# failJSON: { "time": "2024-03-21T19:26:06", "match": true , "host": "194.169.175.1" } -2024-03-21 19:26:06 dovecot_login authenticator failed for (User) [194.169.175.1]:21298 I=[22.33.44.55]:465 Ci=30416: 535 Incorrect authentication data (set_id=uaf589@example.com) -# failJSON: { "time": "2024-03-21T09:18:51", "match": true , "host": "9.12.1.21" } -2024-03-21 09:18:51 H=m05.horp.tld [9.12.1.21]:43030 I=[194.169.175.2]:25 Ci=7326 CV=no SNI=mail.leone.tld F= rejected RCPT : relay not permitted +# failJSON: { "time": "2022-04-03T21:53:53", "match": true , "host": "63.85.123.6", "desc": "no IP found for host long" } +2022-04-03 21:53:53 no IP address found for host hos-t.example.tld (during SMTP connection from [63.85.123.6]:49390 I=[31.130.202.17]:25)