Изменение fail2ban-regex для too many syntax or protocol errors

Материал из Home wiki
Перейти к навигации Перейти к поиску

And this regex : ".*SMTP .*\[([0-9]+).{9}\] (dropped|rejected|invalid): too many" – without " " marks matches on these test strings

Awesome, this saved me :) thank you! It happened again this morning.

This is what I ended up with:

^.*SMTP .*\[<HOST>\] (dropped|rejected|invalid): too many

The purpose of <HOST> and the ^ are covered here:

http://www.fail2ban.org/wiki/index.php/MANUAL_0_8

It looks like fail2ban has it's own way of matching common date and time formats, so one does not need to match those, the ^ is the data to match on after the timestamp.

To test the regex: root@core:~ # echo '2014-02-08 17:35:01 SMTP call from [210.227.112.32] dropped: too many syntax or protocol errors (last command was "AUTH LOGIN")' >> /var/log/exim/mainlog

And surely enough, the fail2ban log shows:

2014-02-08 17:35:37,922 fail2ban.actions: WARNING [exim-pf] Ban 210.227.112.32

Excellent!


That should put an end to the log spammage.