Use an "ignoreregex = 127\.0\.0\.1" line. Or just set an ignoreip of
127.0.0.1.
On 22/03/2023 19:22, James Moe via Fail2ban-users wrote:
We scan our mail logs for the use of "auth LOGIN". No legit user uses LOGIN; it
is always a dictionary attack.
We also have a SPAM proxy (ASSP) that filters incoming mail before sending a
connection to the mail server; the connections are for ports 25 and 587. The
mail server logs these connections as:
11:01:16.678 4 SMTPI-022601([127.0.0.1]) rsp: 334 VXNlcm5hbWU6
When a spammer uses port 465, though, it bypasses the filter and connects to the
mail server directly:
10:37:36.384 4 SMTPI-022587([176.111.173.47]) rsp: 334 VXNlcm5hbWU6
My question is: How do I create a regular expression that ignores the log
entries with "127.0.0.1?"
The current regex is:
failregex = ^.*\[<HOST>\] .* 334 VXNlcm5hbWU6.*
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
