mirror of https://github.com/fail2ban/fail2ban
Merge pull request #386 from grooverdan/qmail
ENH: filter.d/qmail - anchor at start. Add another regexpull/392/merge
Daniel Black
commit
e417a2112c
|
|
@ -88,6 +88,8 @@ ver. 0.8.11 (2013/XX/XXX) - loves-unittests
|
||||||
* filter.d/sshd - regex enhancements to support openssh-6.3. Closes Debian
|
* filter.d/sshd - regex enhancements to support openssh-6.3. Closes Debian
|
||||||
bug #722970
|
bug #722970
|
||||||
* filter.d/webmin - anchored regex at start
|
* filter.d/webmin - anchored regex at start
|
||||||
|
* filter.d/qmail - rewrote regex to anchor at start. Added regex for
|
||||||
|
another "in the wild" patch to rblsmtp.
|
||||||
Daniel Black & Georgiy Mernov & ftoppi & Мернов Георгий
|
Daniel Black & Georgiy Mernov & ftoppi & Мернов Георгий
|
||||||
* filter.d/exim.conf -- regex hardening and extra failure examples in
|
* filter.d/exim.conf -- regex hardening and extra failure examples in
|
||||||
sample logs
|
sample logs
|
||||||
|
|
|
||||||
|
|
@ -1,22 +1,22 @@
|
||||||
# Fail2Ban configuration file
|
# Fail2Ban configuration file
|
||||||
#
|
#
|
||||||
# Author: Cyril Jaquier
|
# Author: Daniel Black
|
||||||
#
|
#
|
||||||
#
|
#
|
||||||
|
|
||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
before = common.conf
|
||||||
|
|
||||||
[Definition]
|
[Definition]
|
||||||
|
|
||||||
# Option: failregex
|
_daemon = (?:qmail|rblsmtpd)
|
||||||
# Notes.: regex to match the password failures messages in the logfile. The
|
|
||||||
# host must be matched by a group named "host". The tag "<HOST>" can
|
|
||||||
# be used for standard IP/hostname matching and is only an alias for
|
|
||||||
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
|
||||||
# Values: TEXT
|
|
||||||
#
|
|
||||||
failregex = (?:[\d,.]+[\d,.] rblsmtpd: |421 badiprbl: ip )<HOST>
|
|
||||||
|
|
||||||
# Option: ignoreregex
|
|
||||||
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
|
||||||
# Values: TEXT
|
|
||||||
#
|
#
|
||||||
ignoreregex =
|
# These seem to be for two or 3 different patches to qmail or rblsmtpd
|
||||||
|
# so you'll probably only ever see one of these.
|
||||||
|
|
||||||
|
failregex = ^%(__prefix_line)s\d+\.\d+ rblsmtpd: <HOST> pid \d+ \S+ 4\d\d \S+\s*$
|
||||||
|
^%(__prefix_line)s\d+\.\d+ qmail-smtpd: 4\d\d badiprbl: ip <HOST> rbl: \S+\s*$
|
||||||
|
^%(__prefix_line)s\S+ blocked <HOST> \S+ -\s*$
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -2,3 +2,9 @@
|
||||||
Sep 6 07:33:33 sd6 qmail: 1157520813.485077 rblsmtpd: 198.51.100.77 pid 19597 sbl-xbl.spamhaus.org: 451 http://www.spamhaus.org/query/bl?ip=198.51.100.77
|
Sep 6 07:33:33 sd6 qmail: 1157520813.485077 rblsmtpd: 198.51.100.77 pid 19597 sbl-xbl.spamhaus.org: 451 http://www.spamhaus.org/query/bl?ip=198.51.100.77
|
||||||
# failJSON: { "time": "2004-09-06T07:18:29", "match": true , "host": "198.51.100.54" }
|
# failJSON: { "time": "2004-09-06T07:18:29", "match": true , "host": "198.51.100.54" }
|
||||||
Sep 6 07:18:29 sd6 qmail: 1157519909.633171 qmail-smtpd: 421 badiprbl: ip 198.51.100.54 rbl: example.com
|
Sep 6 07:18:29 sd6 qmail: 1157519909.633171 qmail-smtpd: 421 badiprbl: ip 198.51.100.54 rbl: example.com
|
||||||
|
|
||||||
|
# http://www.tjsi.com/rblsmtpd/faq/
|
||||||
|
# failJSON: { "time": "2005-06-30T15:13:33", "match": true , "host": "193.111.120.47" }
|
||||||
|
Jun 30 15:13:33 ns1 rblsmtpd: relays.ordb.org blocked 193.111.120.47 ordb-test.null.dk -
|
||||||
|
# failJSON: { "time": "2005-06-30T15:13:55", "match": true , "host": "192.203.178.107" }
|
||||||
|
Jun 30 15:13:55 ns1 rblsmtpd: relays.osirusoft.com blocked 192.203.178.107 sbl.crynwr.com -
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue