fail2ban failregex for citadel mail server not working

Question

fail2ban failregex for citadel mail server not working

62 Views Asked by ksimp At 14 May 2023 at 00:11

Sample syslog entry

May 13 19:43:30 mail citserver[67267]: citserver[67267]: user_ops: bad password specified for <> Service <SMTP-MTA> Port <25> Remote <119.96.245.49.unknown.m1.com.sg / 49.245.96.119>

Failing fail2ban failregex

failregex = ^%(__prefix_line)suser_ops: bad password specified for <[^>]+> Service <[^>]+> Port <[^>]+> Remote <<HOST>

Thanks!!!

Ran fail2ban-regex on a test.log file

root@mail:/etc/fail2ban# fail2ban-regex test.log /etc/fail2ban/filter.d/citadel.conf

Running tests
=============

Use   failregex filter file : citadel, basedir: /etc/fail2ban
Use      datepattern : Default Detectors
Use         log file : test.log
Use         encoding : UTF-8


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [6] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-

Lines: 6 lines, 0 ignored, 0 matched, 6 missed
[processed in 0.00 sec]

|- Missed line(s):
|  May 13 18:52:58 mail citserver[67267]: citserver[67267]: user_ops: bad password specified for <> Service <SMTP-MTA> Port <25> Remote <119.145.190.102 / 119.145.190.102>
|  May 13 18:52:58 mail citserver[67267]: user_ops: bad password specified for <> Service <SMTP-MTA> Port <25> Remote <119.145.190.102 / 119.145.190.102>
|  May 13 18:53:40 mail citserver[67267]: citserver[67267]: user_ops: bad password specified for <> Service <SMTP-MTA> Port <25> Remote <217.144.254.139 / 217.144.254.139>
|  May 13 18:53:40 mail citserver[67267]: user_ops: bad password specified for <> Service <SMTP-MTA> Port <25> Remote <217.144.254.139 / 217.144.254.139>
|  May 13 18:53:48 mail citserver[67267]: citserver[67267]: user_ops: bad password specified for <> Service <SMTP-MTA> Port <25> Remote <50-73-254-237-ip-static.hfc.comcastbusiness.net / 50.73.254.237>
|  May 13 18:53:48 mail citserver[67267]: user_ops: bad password specified for <> Service <SMTP-MTA> Port <25> Remote <50-73-254-237-ip-static.hfc.comcastbusiness.net / 50.73.254.237>

Original Q&A

There are 1 best solutions below

**Tim Roberts** · Answer 1 · 2023-05-14T17:18:16.470000

Your regex does not match lines without a username (that is, "specified for <>"). You use the "+" modifier, which requires at least one character.

So, change "<[^>]+>" to "<[^>]*>", and you should be good. "+" matches 1 or more. "*" matches 0 or more.

fail2ban failregex for citadel mail server not working

There are 1 best solutions below

Related Questions in FAIL2BAN

Trending Questions

Popular # Hahtags

Popular Questions