All the lines in /etc/fail2ban/filter.d/exim.conf start with "^%(pid)s "
Those characters are trying to match a PID at the start of log lines, I guess.
Actually in /etc/fail2ban/filter.d/exim-common.conf I see:
pid = ( \[\d+\])?
But the problem is that the lines in /var/log/exim4/mainlog contain no PIDs at
the start of the line.
from http://www.exim.org/exim-html-current/doc/html/spec_html/ch-log_files.html:
"Exim does not include its process id in log lines by default, but you can
request that it does so by specifying the pid log selector (see section 52.15).
When this is set, the process id is output, in square brackets, immediately
after the time and date. "
So that is an optional feature of exim, but it is not enabled by default.
So certainly the regexes in /etc/fail2ban/filter.d/exim.conf are broken and need
to be fixed.
Thanks,
Alex
On Thu, 24 Jul 2014 09:09:32 +1000 Aaron Howell <aa...@kitten.net.au> wrote:
Package: fail2ban
Version: 0.9.0+git48-gabcab00-1
Severity: normal
-- System Information:
Debian Release: jessie/sid
APT prefers utopic
APT policy: (500, 'utopic')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.15.0-6-generic (SMP w/2 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages fail2ban depends on:
ii init-system-helpers 1.19
ii lsb-base 4.1+Debian11ubuntu8
ii python 2.7.8-1
Versions of packages fail2ban recommends:
ii iptables 1.4.21-2ubuntu1
ii python-pyinotify 0.9.4-1build1
ii whois 5.1.4
Versions of packages fail2ban suggests:
ii bsd-mailx [mailx] 8.1.2-0.20131005cvs-1
pn python-gamin <none>
pn python-systemd <none>
ii rsyslog [system-log-daemon] 7.4.4-1ubuntu5
-- no debconf information
I have enabled the exim filter within fail2ban, and added a
logfile=/var/log/exim4/mainlog entry.
I can see that the log file is opened by fail2ban, and it correctly detects
when the log file is rotated, however, no lines are matched, meaning nothing
gets banned.
Here are some log entries which should match:
2014-07-24 07:05:51 H=host28-145-static.87-94-b.business.telecomitalia.it (ElintecGPRS)
[94.87.145.28] F=<swoodr...@apprhs.org> rejected RCPT <aar...@kitten.net.au>:
Unrouteable address
2014-07-24 07:05:52 H=host28-145-static.87-94-b.business.telecomitalia.it (ElintecGPRS)
[94.87.145.28] F=<swoodr...@apprhs.org> rejected RCPT <aaro...@kitten.net.au>:
Unrouteable address
2014-07-24 07:19:06 H=(Takaste.unknown.creeperhost.net) [82.145.53.119]
F=<lp...@unknown.creeperhost.net> rejected RCPT
<mon-petit-monde....@kitten.net.au>: Unrouteable address
2014-07-24 07:22:17 H=dl123149.arvixevps.com [23.91.115.19] F=<rich...@arvixevps.com>
rejected RCPT <moda...@kitten.net.au>: Unrouteable address
2014-07-24 07:24:55 H=dl123149.arvixevps.com [23.91.115.19]
F=<bellavi...@arvixevps.com> rejected RCPT <3gforffree....@kitten.net.au>:
Unrouteable address
2014-07-24 07:40:11 H=(Moodle) [31.222.138.20] F=<colvin...@webtv.net> rejected RCPT
<townofbrookneal....@kitten.net.au>: Unrouteable address
2014-07-24 07:41:41 H=dl123149.arvixevps.com [23.91.115.19]
F=<animat...@arvixevps.com> rejected RCPT
<improvmentscatalog....@kitten.net.au>: Unrouteable address
2014-07-24 07:48:31 H=dl123149.arvixevps.com [23.91.115.19] F=<dr...@arvixevps.com>
rejected RCPT <celticcomforts....@kitten.net.au>: Unrouteable address
2014-07-24 08:00:12 H=(Moodle) [31.222.138.20] F=<ll...@mcalistersdeli.com> rejected
RCPT <c...@kitten.net.au>: Unrouteable address
2014-07-24 08:06:47 H=dl123149.arvixevps.com [23.91.115.19] F=<j...@arvixevps.com>
rejected RCPT <dominicainesdelatrinite....@kitten.net.au>: Unrouteable address
2014-07-24 08:18:32 H=aventure.arvixevps.com [108.175.147.241]
F=<k3...@arvixevps.com> rejected RCPT <na...@kitten.net.au>: Unrouteable address
2014-07-24 08:23:28 H=(Moodle) [31.222.138.20] F=<appl...@hkstar.com> rejected RCPT
<locator....@kitten.net.au>: Unrouteable address
2014-07-24 08:37:29 H=dl123149.arvixevps.com [23.91.115.19]
F=<misha.l...@arvixevps.com> rejected RCPT
<19991007103020.a16...@meow.kitten.net.au>: Unrouteable address
2014-07-24 08:47:07 H=dl123149.arvixevps.com [23.91.115.19] F=<clo...@arvixevps.com>
rejected RCPT <aol....@kitten.net.au>: Unrouteable address
In particular the avixevps ones should have generated a ban.
I have not made any changes to the regex for the exim filter, only changed the
logfile so that it matches where Debian actually stores the exim logs.
Sshd log processing and banning is working correctly, so fail2ban is actually
running correctly.
Using exim packages 4.83rc3-1.
