[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fail2ban-users
Subject:    Re: [Fail2ban-users] Date problems with filter rules
From:       Steven Hiscocks <steven-fail2ban.users () hiscocks ! me ! uk>
Date:       2014-05-15 7:58:43
Message-ID: 4810543a-84ab-4ec0-b47c-a1fd538c3f37 () email ! android ! com
[Download RAW message or body]



On 13 May 2014 04:35:29 BST, Alex <mysqlstudent@gmail.com> wrote:
> Hi,
> 
> I'm using fail2ban-0.9 on fedora20 with squirrelmail-1.4.21 and the
> squirrel_logger plugin to catch mass mailing attempts, typically
> indicative
> of a hacked account.
> 
> I've written the following very broad rule:
> 
> failregex = .* from <HOST>: Total.*$
> 
> Using fail2ban-regex, it catches it properly with the following entry
> from
> an actual recorded entry in the squirrelmail log file:
> 
> May 12 22:08:20 [MASS_MAILING] user1 (myhost.com) from 186.88.190.70:
> Total
> 31 recipients (FROM: info@helpdesk.net) (SUBJECT: Dear Email User!!!)
> 
> The problem is, fail2ban itself doesn't trigger on it. If I remove the
> date, it does work. However, the date is recorded by squirrelmail in
> this
> log file dedicated to squirrelmail logins.
> 
> How can I have fail2ban ignore the date?
> 
> Thanks,
> Alex
> 
The regex already checks against lines with the date time stripped. Nothing looks \
wrong on the face of it. Might be worth starting Fail2Ban with "fail2ban-client -vvv \
start" and see of there are any config issues. Also could set log level to DEBUG.

--
Steven Hiscocks

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users


[prev in list] [next in list] [prev in thread] [next in thread]