Hi Diane,
> Wont match
> "2021-10-24 00:28:54 SMTP protocol error in "AUTH LOGIN" H=(User) ...
Hmm, my log lines look the same and here they do match.
Maybe we can first compare output to find out what is the difference.
What output do you get for the following command:
$ fail2ban-regex -v "2021-10-24 00:28:54 SMTP protocol error in \"AUTH
LOGIN\" H=(user) [192.0.2.1] AUTH command used when not advertised" exim
This is what I get:
Running tests
=============
Use failregex filter file : exim, basedir: /etc/fail2ban
Use single line : 2021-10-24 00:28:54 SMTP protocol error in "AUTH L...
Results
=======
Failregex: 1 total
|- #) [# of hits] regular expression
| 1) [0] ^(?: \[\d+\])? (?:H=([\w.-]+ )?(?:\(\S+\)
)?)?\[<HOST>\](?::\d+)?(?: I=\[\S+\](:\d+)?)?(?: U=\S+)?(?: P=e?smtp)?(?:
F=(?:<>|[^@]+@\S+))?\ssender verify fail for <\S+>: (?:Unknown user|Unrouteable
address|all relevant MX records point to non-existent hosts)\s*$
| 2) [0] ^(?: \[\d+\])? \w+ authenticator failed for (?:[^\[\( ]*
)?(?:\(\S*\) )?\[<HOST>\](?::\d+)?(?: I=\[\S+\](:\d+)?)?: 535 Incorrect
authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$
| 3) [0] ^(?: \[\d+\])? (?:H=([\w.-]+ )?(?:\(\S+\)
)?)?\[<HOST>\](?::\d+)?(?: I=\[\S+\](:\d+)?)?(?: U=\S+)?(?: P=e?smtp)?(?:
F=(?:<>|[^@]+@\S+))?\srejected RCPT [^@]+@\S+: (?:relay not permitted|Sender
verify failed|Unknown user|Unrouteable address)\s*$
| 4) [0] ^(?: \[\d+\])? SMTP protocol synchronization error \([^)]*\):
rejected (?:connection from|"\S+") (?:H=([\w.-]+ )?(?:\(\S+\)
)?)?\[<HOST>\](?::\d+)?(?: I=\[\S+\](:\d+)?)?(?: U=\S+)?(?: P=e?smtp)?(?:
F=(?:<>|[^@]+@\S+))?\s(?:next )?input=".*"\s*$
| 5) [0] ^(?: \[\d+\])? SMTP call from (?:[^\[\( ]* )?(?:H=([\w.-]+
)?(?:\(\S+\) )?)?\[<HOST>\](?::\d+)?(?: I=\[\S+\](:\d+)?)?(?: U=\S+)?(?:
P=e?smtp)?(?: F=(?:<>|[^@]+@\S+))?\sdropped: too many (?:nonmail
commands|syntax or protocol errors) \(last (?:command )?was "[^"]*"\)\s*$
| 6) [1] ^(?: \[\d+\])? SMTP protocol error in "[^"]+(?:"+[^"]*(?="))*?"
(?:H=([\w.-]+ )?(?:\(\S+\) )?)?\[<HOST>\](?::\d+)?(?: I=\[\S+\](:\d+)?)?(?:
U=\S+)?(?: P=e?smtp)?(?: F=(?:<>|[^@]+@\S+))?\sAUTH command used when not
advertised\s*$
| 192.0.2.1 Sun Oct 24 00:28:54 2021
| 7) [0] ^(?: \[\d+\])? no MAIL in SMTP connection from (?:[^\[\( ]*
)?(?:\(\S*\) )?(?:H=([\w.-]+ )?(?:\(\S+\) )?)?\[<HOST>\](?::\d+)?(?:
I=\[\S+\](:\d+)?)?(?: U=\S+)?(?: P=e?smtp)?(?:
F=(?:<>|[^@]+@\S+))?\sD=\d\S*s(?: C=\S*)?\s*$
| 8) [0] ^(?: \[\d+\])? (?:[\w\-]+ )?SMTP connection from (?:[^\[\( ]*
)?(?:\(\S*\) )?(?:H=([\w.-]+ )?(?:\(\S+\) )?)?\[<HOST>\](?::\d+)?(?:
I=\[\S+\](:\d+)?)?(?: U=\S+)?(?: P=e?smtp)?(?: F=(?:<>|[^@]+@\S+))?\sclosed by
DROP in ACL\s*$
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [1] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T|
?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
| [0] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?:
ExYear)?
| [0] {^LN-BEG}(?:DAY )?MON Day ExYear %k:Minute:Second(?:\.Microseconds)?
| [0] {^LN-BEG}Day(?P<_sep>[-/])Month(?P=_sep)(?:ExYear|ExYear2)
%k:Minute:Second
| [0] {^LN-BEG}Day(?P<_sep>[-/])MON(?P=_sep)ExYear[
:]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
| [0] {^LN-BEG}Month/Day/ExYear:24hour:Minute:Second
| [0] {^LN-BEG}Month-Day-ExYear %k:Minute:Second(?:\.Microseconds)?
| [0] {^LN-BEG}Epoch
| [0] {^LN-BEG}ExYear2ExMonthExDay ?24hour:Minute:Second
| [0] {^LN-BEG}MON Day, ExYear 12hour:Minute:Second AMPM
| [0] {^LN-BEG}ExYearExMonthExDay(?:T|
?)Ex24hourExMinuteExSecond(?:[.,]Microseconds)?(?:\s*Zone offset)?
| [0] {^LN-BEG}(?:Zone name )?(?:DAY )?MON Day
%k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
| [0] {^LN-BEG}(?:Zone offset )?(?:DAY )?MON Day
%k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
| [0] {^LN-BEG}TAI64N
| [0] ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T|
?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
| [0] (?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
| [0] (?:DAY )?MON Day ExYear %k:Minute:Second(?:\.Microseconds)?
| [0] Day(?P<_sep>[-/])Month(?P=_sep)(?:ExYear|ExYear2) %k:Minute:Second
| [0] Day(?P<_sep>[-/])MON(?P=_sep)ExYear[
:]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
| [0] Month/Day/ExYear:24hour:Minute:Second
| [0] Month-Day-ExYear %k:Minute:Second(?:\.Microseconds)?
| [0] Epoch
| [0] {^LN-BEG}24hour:Minute:Second
| [0] ^<Month/Day/ExYear2@24hour:Minute:Second>
| [0] ExYear2ExMonthExDay ?24hour:Minute:Second
| [0] MON Day, ExYear 12hour:Minute:Second AMPM
| [0] ^MON-Day-ExYear2 %k:Minute:Second
| [0] ExYearExMonthExDay(?:T|
?)Ex24hourExMinuteExSecond(?:[.,]Microseconds)?(?:\s*Zone offset)?
| [0] (?:Zone name )?(?:DAY )?MON Day
%k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
| [0] (?:Zone offset )?(?:DAY )?MON Day
%k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
| [0] TAI64N
`-
Lines: 1 lines, 0 ignored, 1 matched, 0 missed
[processed in 0.00 sec]
> Maybe it'd work better if
> filter.d/common.conf:24:__pid_re = (?:\[\d+\])
>
> was instead something like:
> filter.d/common.conf:24:__pid_re = (?:\[\d+\]) ?
>
> Though maybe it needs to be a __pid_re specific to exim? or the
> exim.conf pattern should allow blank spaces?
I do not know `__pid_re` of `common.conf` very well. It seems it has
to do with the timestamp.
But you know there is already this definition in `exim-common.conf`,
right? This is the one I am seeing here with fail2ban 0.11.2-2 in
`/etc/fail2ban/filter.d/exim-common.conf`:
pid = (?: \[\d+\])?
This definition of `pid` in `exim-common.conf` recently changed in the
master development branch, but I tested that as well and still get a
match with the latest definition of `pid` as well.
Btw, I see you are referencing an URL of the master development branch,
but I assume we are still only talking about 0.11.2 here.
Do you have any special customizations in `/etc/fail2ban/jail.d` maybe?
Best,
Peter
