1

I'm using Fail2ban on a Mailcleaner server which works pretty good, but I want to update it to ban hosts who want to spoof our addresses. I'm using the "original" mc-exim-filter, but I don't really understand how regular expressions work.

Here is an example from the log:

2021-02-26 00:02:37 H=([77.31.53.117]) [77.31.53.117] F=our@address.com rejected RCPT our@address.com: This domain does not accept mail from itself (spoofing)

I tried many combination based on the already existing failregexes, but it doesn't want to ban the attackers.

Can anyone help?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Krisztian
  • 13
  • 2

3 Answers3

1

This would work (matching also another example from below "answer"):

failregex = ^\s*H=(?:\S+ )?\([^)]+\) \[<ADDR>\](?: [A-Z]+=\S+){1,5} rejected RCPT

replace <ADDR> with <HOST> if your fail2ban version < 0.10.

[UPD] Note that fail2ban will cut out the part with timestamp (matching datepattern) from line before it'd apply failregex (or prefregex), so the RE is anchored at first space after timestamp. The space is also optional, so it would be usable with systemd backend (if monitoring of journal, message doesn't contain timestamp at all).

sebres
  • 161
  • 4
  • Slight problem with this regex with the leading `^\s*` - the `^` anchors the match to the start of the string, which in OP's example, leads with a timestamp. The regex as it stands would match 0 or more spaces leading up to a `H=\(` which means it would fail to match the line that includes a timestamp. Please consider this and then edit your answer. Otherwise, good effort. – brynk Mar 02 '21 at 21:18
  • 1
    Fail2ban cuts part of string matching datepattern out before failregex or prefregex are applied. This is intentionally made to avoid considering a different timestamp formats as well as completely missing timestamp in message once it changes logging backend to systemd journal for example. So anchor is fully correct there, please avoid to confuse people if you're not familiar with some software. – sebres Mar 03 '21 at 14:59
  • Thanks for clarifying this. – brynk Mar 03 '21 at 20:53
0

Thank you! This could work but the attackers already stopped attack us. So I have to generate the problem with an online fake mailer (https://emkei.cz/), but with this the log message changed a bit and the Fail2ban doesn't ban the IP.

2021-03-03 08:57:20 H=emkei.cz (localhost) [93.99.104.210] X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no F=<test@address.com> rejected RCPT <testelek3@address.com: This domain does not accept mail from itself (spoofing)

Is there anyway to change the regex to fit for this log message? I think I should change it to that whatever appears between the end of "H=x-x-x-x" and the beginning of "F=" that should not change the point .

Krisztian
  • 13
  • 2
  • I updated my answer above, so RE must match both variants now. (better would be to update your question and ping me in comment to my answer, because one does not notice the other answers, so I saw it only by accident). – sebres Mar 03 '21 at 15:19
  • Thank you, it works! Sorry about that. – Krisztian Mar 04 '21 at 07:14
0

I use my own rules:

[Definition]
failregex = \[<HOST>\]: 535 Incorrect authentication data
            no host name found for IP address <HOST>
            rejected because <HOST>
            rejected HELO from (.*)\[<HOST>\]
            rejected EHLO from (.*)\[<HOST>\]
            unqualified verify rejected: (.*)\[<HOST>\]
            SMTP command timeout on connection from (.*)\[<HOST>\]
            SMTP syntax error (.*)\[<HOST>\]
            TLS error on connection from (.*)\[<HOST>\]
            \[<HOST>\] dropped: too many unrecognized commands
            \[<HOST>\] unrecognized command
            \[<HOST>\] sender verify fail for
            \[<HOST>\] (.*)failed to find host name from IP address
            \[<HOST>\] (.*)Unknown user
            \[<HOST>\] (.*)relay not permitted
            synchronization error (.*)\[<HOST>\]
            \[<HOST>\] (.*)rejected after DATA
ignoreregex =
Александр
  • 1
  • 1