mirror of https://github.com/fail2ban/fail2ban
52 lines
1.4 KiB
Plaintext
52 lines
1.4 KiB
Plaintext
# Fail2Ban filter file for common exim expressions
|
|
#
|
|
# This is to be used by other exim filters
|
|
|
|
[INCLUDES]
|
|
|
|
# Load customizations if any available
|
|
after = exim-common.local
|
|
|
|
[Definition]
|
|
|
|
_fields_grp = (?: (?!H=)[A-Za-z]{1,4}(?:=\S+)?)*
|
|
host_info = %(_fields_grp)s (?:H=)?(?:[\w.-]+)? ?(?:\(\S+\))? ?\[<ADDR>\](?::\d+)?%(_fields_grp)s
|
|
pid = (?:\s?\[\d+\]|\s?[\w\.-]+ exim\[\d+\]:){0,2}
|
|
|
|
logtype = file
|
|
_add_pref = <lt_<logtype>/_add_pref>
|
|
|
|
__prefix_line = %(pid)s%(_add_pref)s
|
|
|
|
[lt_journal]
|
|
_add_pref = (?: \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2})?
|
|
|
|
[lt_file]
|
|
_add_pref =
|
|
|
|
# DEV Notes
|
|
# ------------
|
|
# Host string happens:
|
|
# H=[ip address]
|
|
# H=(helo_name) [ip address]
|
|
# H=host_name [ip address]
|
|
# H=host_name (helo_name) [ip address]
|
|
# flags H=host_name (helo_name) [ip address] flags
|
|
# where only [ip address] always visible, ignore ident
|
|
# From exim source code:
|
|
# src/src/host.c:host_and_ident()
|
|
# src/receive.c:add_host_info_for_log()
|
|
|
|
# Substitution of `_fields_grp` bypasses all flags but H
|
|
# Summary of Fields in Log Lines depending on log_selector
|
|
# https://www.exim.org/exim-html-current/doc/html/spec_html/ch-log_files.html
|
|
# at version exim-4.97.1
|
|
# ---
|
|
|
|
# Authors:
|
|
# Cyril Jaquier
|
|
# Daniel Black (rewrote with strong regexs)
|
|
# Sergey G. Brester aka sebres (optimization, rewrite to prefregex, reviews)
|
|
# Martin O'Neal (added additional regexs to detect authentication failures, protocol errors, and drops)
|
|
# Vladimir Varlamov (host line definition)
|