On 12/26/20 1:44 PM, Dan Egli wrote: > failregex = fixed_login_exim4u authenticator failed for (User) <HOST> .* > fixed_login_exim4u authenticator failed for .* <HOST> > <HOST> locally blacklisted for a bruteforce > H=(.*) <HOST> .* AUTH command used when not advertise# > SMTP call from <HOST> I=[209.141.58.25]:587 dropped: oo > many syntax or protocol errors .* > ^.*SMTP protocol error in \"AUTH LOGIN\" .* H\=<HOST> > .* AUTH command used when not advertised >
Try this regex (beware the line wrap): failregex = fixed_login_exim4u authenticator failed for \(User\) \[<HOST>\].* It matches the log entry: 2020-12-19 22:41:01.051 fixed_login_exim4u authenticator failed for (User) [212.70.149.70] I=[209.141.58.25]:587: 535 Incorrect authentication data ([email protected]) I could not test any of the other regex's you listed since there are no sample log entries to test. ----[ test run ]---- $ fail2ban-regex rules-test-data.log rules-to-test.conf Running tests ============= Use failregex filter file : rules-to-test, basedir: /etc/fail2ban Use datepattern : Year-Month-Day 24hour:Minute:Second.Microseconds Use log file : rules-test-data.log Use encoding : UTF-8 Results ======= Failregex: 6 total |- #) [# of hits] regular expression | 1) [6] fixed_login_exim4u authenticator failed for \(User\) \[<HOST>\].* `- Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [6] Year-Month-Day 24hour:Minute:Second.Microseconds `- Lines: 6 lines, 0 ignored, 6 matched, 0 missed ----[ end ]---- -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 Think. _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
