diff --git a/config/filter.d/assp.conf b/config/filter.d/assp.conf index 2aa8958c..0bfba6dc 100644 --- a/config/filter.d/assp.conf +++ b/config/filter.d/assp.conf @@ -1,24 +1,24 @@ -# Fail2Ban filter for Anti-Spam SMTP Proxy Server also known as ASSP +# Fail2Ban filter for Anti-Spam SMTP Proxy Server (ASSP) Version 2.5.1 (or later) # -# Honmepage: http://www.magicvillage.de/~Fritz_Borgstedt/assp/0003D91C-8000001C/ -# ProjektSite: http://sourceforge.net/projects/assp/?source=directory +# Homepage: http://sourceforge.net/projects/assp/ +# ProjectSite: http://sourceforge.net/projects/assp/?source=directory # # [Definition] -__assp_actions = (?:dropping|refusing) - -failregex = ^(:? \[SSL-out\])? max sender authentication errors \(\d{,3}\) exceeded -- %(__assp_actions)s connection - after reply: \d{3} \d{1}\.\d{1}.\d{1} Error: authentication failed: \w+;$ - ^(?: \[SSL-out\])? SSL negotiation with client failed: SSL accept attempt failed with unknown error.*:unknown protocol;$ - ^ Blocking - too much AUTH errors \(\d{,3}\);$ +failregex = \<\S+@\S+\.\S+\> to: \S+@\S+\.\S+ relay attempt blocked for: \S+$ + \[SMTP Error\] 535 5\.7\.8 Error: authentication failed.*$ ignoreregex = # DEV Notes: # -# Examples: Apr-27-13 02:33:09 Blocking 217.194.197.97 - too much AUTH errors (41); -# Dec-29-12 17:10:31 [SSL-out] 200.247.87.82 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol; -# Dec-30-12 04:01:47 [SSL-out] 81.82.232.66 max sender authentication errors (5) exceeded +# Examples: +# Jul-29-16 16:49:52 m1-25391-06124 [Worker_1] [TLS-out] [RelayAttempt] 0.0.0.0 to: user@example.org relay attempt blocked for: someone@example.org +# Jul-30-16 16:59:42 [Worker_1] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6 +# Jul-30-16 00:15:36 m1-52131-09651 [Worker_1] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6 +# Jul-31-16 06:45:59 [Worker_1] [TLS-in] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: # # Author: Enrico Labedzki (enrico.labedzki@deiwos.de) +# Updated: Robert Hardy (rhardy@webcon.ca) diff --git a/fail2ban/tests/files/logs/assp b/fail2ban/tests/files/logs/assp index 2c658eb9..71c28221 100644 --- a/fail2ban/tests/files/logs/assp +++ b/fail2ban/tests/files/logs/assp @@ -1,25 +1,8 @@ -# failJSON: { "time": "2013-04-07T07:08:36", "match": true , "host": "68.171.223.68" } -Apr-07-13 07:08:36 [SSL-out] 68.171.223.68 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol; -# failJSON: { "time": "2013-04-07T07:08:36", "match": true , "host": "68.171.223.68" } -Apr-07-13 07:08:36 [SSL-out] 68.171.223.68 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol; -# failJSON: { "time": "2013-04-07T07:10:37", "match": true , "host": "68.171.223.68" } -Apr-07-13 07:10:37 [SSL-out] 68.171.223.68 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol; -# failJSON: { "time": "2013-04-07T07:12:37", "match": true , "host": "68.171.223.68" } -Apr-07-13 07:12:37 [SSL-out] 68.171.223.68 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol; -# failJSON: { "time": "2013-04-07T07:14:36", "match": true , "host": "68.171.223.68" } -Apr-07-13 07:14:36 [SSL-out] 68.171.223.68 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol; -# failJSON: { "time": "2013-04-27T02:25:09", "match": true , "host": "217.194.197.97" } -Apr-27-13 02:25:09 Blocking 217.194.197.97 - too much AUTH errors (8); -# failJSON: { "time": "2013-04-27T02:25:09", "match": true , "host": "217.194.197.97" } -Apr-27-13 02:25:09 Blocking 217.194.197.97 - too much AUTH errors (9); -# failJSON: { "time": "2013-04-27T02:25:09", "match": true , "host": "217.194.197.97" } -Apr-27-13 02:25:09 Blocking 217.194.197.97 - too much AUTH errors (10); -# failJSON: { "time": "2013-04-27T02:25:10", "match": true , "host": "217.194.197.97" } -Apr-27-13 02:25:10 [SSL-out] 217.194.197.97 max sender authentication errors (5) exceeded -- dropping connection - after reply: 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6; -# failJSON: { "time": "2013-04-27T02:25:10", "match": true , "host": "217.194.197.97" } -Apr-27-13 02:25:10 [SSL-out] 217.194.197.97 max sender authentication errors (5) exceeded -- dropping connection - after reply: 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6; -# failJSON: { "time": "2013-04-27T02:25:10", "match": true , "host": "217.194.197.97" } -Apr-27-13 02:25:10 [SSL-out] 217.194.197.97 max sender authentication errors (5) exceeded -- dropping connection - after reply: 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6; -# failJSON: { "time": "2013-04-27T02:25:11", "match": true , "host": "217.194.197.97" } -Apr-27-13 02:25:11 [SSL-out] 217.194.197.97 max sender authentication errors (5) exceeded -- dropping connection - after reply: 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6; - +# failJSON: { "time": "2016-07-29T16:49:52", "match": true , "host": "0.0.0.0" } +Jul-29-16 16:49:52 m1-25391-06124 [Worker_1] [TLS-out] [RelayAttempt] 0.0.0.0 to: user@example.org relay attempt blocked for: someone@example.org +# failJSON: { "time": "2016-07-30T17:07:25", "match": true , "host": "0.0.0.0" } +Jul-30-16 17:07:25 [Worker_1] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6 +# failJSON: { "time": "2016-07-30T17:11:05", "match": true , "host": "0.0.0.0" } +Jul-30-16 17:11:05 m1-13060-05386 [Worker_1] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6 +# failJSON: { "time": "2016-07-31T06:45:59", "match": true , "host": "0.0.0.0" } +Jul-31-16 06:45:59 [Worker_1] [TLS-in] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: