fail2ban regex hostname doesn't match IP

Discussion in 'Server Operation' started by FredZ, Jun 4, 2021.

  1. FredZ

    FredZ Member HowtoForge Supporter

    Hi all

    I wish to create a filter in fail2ban to filter the following string.
    Code:
    warning: hostname domain.tld does not resolve to address ***.***.***.***: Name or service not known
    
    I have added the necessary info to the /etc/fail2ban/jail.local, and have created the necessary file in /etc/fail2ban/filter.d

    I simply don't understand how the create/format the regex information.

    The odject is to have F2B ban such connections the same as it does failed authentication attempts.

    Regards

    Fred
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  3. FredZ

    FredZ Member HowtoForge Supporter

    Thank you for that.
    However I am now very confused.
    I first tested the sasl authentication regex that is kown to function as expected and I get no matches.
    Code:
    ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|$
    or
    warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|$
    Test string
    Code:
    Jun  5 01:05:17 mx postfix/smtpd[5462]: warning: unknown[77.247.110.208]: SASL LOGIN authentication failed:
    Clearly I am doing something wrong. But yet again I find myself in the position where knowledge is assumed, and I simply don't have it to start with.

    Regards

    Fred
     
  4. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    What did you do to test it?
     
  5. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Now that I'm on a full sized screen, it's clear what you posted there is incomplete, the full line from postfix-sasl.conf is:
    Code:
    failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]*={0,2})?\s*$
    
     

Share This Page