mirror of https://github.com/fail2ban/fail2ban
26 lines
790 B
Plaintext
26 lines
790 B
Plaintext
# Fail2Ban filter for sendmail authentication failures
|
|
#
|
|
|
|
[INCLUDES]
|
|
|
|
before = common.conf
|
|
|
|
[Definition]
|
|
|
|
_daemon = (?:sendmail|sm-(?:mta|acceptingconnections))
|
|
# "\w{14,20}" will give support for IDs from 14 up to 20 characters long
|
|
__prefix_line = %(known/__prefix_line)s(?:\w{14,20}: )?
|
|
addr = (?:IPv6:<IP6>|<IP4>)
|
|
|
|
prefregex = ^<F-MLFID>%(__prefix_line)s</F-MLFID><F-CONTENT>.+</F-CONTENT>$
|
|
|
|
failregex = ^(\S+ )?\[%(addr)s\]( \(may be forged\))?: possible SMTP attack: command=AUTH, count=\d+$
|
|
^AUTH failure \([^\)]+\):(?: [^:]+:)? (?:authentication failure|user not found): [^,]*, (?:user=<F-USER>(?:\S+|.*?)</F-USER>, )?relay=(?:\S+ )?\[%(addr)s\](?: \(may be forged\))?$
|
|
ignoreregex =
|
|
|
|
journalmatch = _SYSTEMD_UNIT=sendmail.service
|
|
|
|
# DEV Notes:
|
|
#
|
|
# Author: Daniel Black
|