fail2ban couriertcpd:登录失败,未禁止

tag-icon tag-icon fail2ban courier
fail2ban couriertcpd:登录失败,未禁止

我的 fail2ban 并未像我预期的那样被禁止。

我的日志条目示例如下:-

Jul 26 07:11:29 mail couriertcpd: LOGIN FAILED, user=sally, ip=[::ffff:54.191.110.169]
Jul 26 07:13:22 mail couriertcpd: LOGIN FAILED, user=ddos, ip=[::ffff:54.193.13.22]
Jul 26 07:14:45 mail couriertcpd: LOGIN FAILED, user=sally, ip=[::ffff:54.191.110.169]

我的 courierstmp 设置更多是 /etc/fail2ban/filter.d/courierlogin.conf

[INCLUDES]
before = common.conf
[Definition]
_daemon = (?:courier)?(?:imapd?|pop3d?)(?:login)?(?:-ssl)?
failregex = ^%(__prefix_line)sLOGIN FAILED, user=.*, ip=\[<HOST>\]$

ignoreregex =

运行测试没有结果。

 fail2ban-regex -v  /var/log/mail.log /etc/fail2ban/filter.d/courierlogin.conf 

Running tests
=============

Use   failregex file : /etc/fail2ban/filter.d/courierlogin.conf
Use         log file : /var/log/mail.log


Results
=======

Failregex: 0 total
|-  #) [# of hits] regular expression
|   1) [0] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?(?:courier|couriertcpd)?(?:imapd?|pop3d?)(?:login)?(?:-ssl)?(?:\(\S+\))?[\]\)]?:?|[\[\(]?(?:courier|couriertcpd)?(?:imapd?|pop3d?)(?:login)?(?:-ssl)?(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*LOGIN FAILED, user=.*, ip=\[<HOST>\]$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [296708] MONTH Day Hour:Minute:Second
|  [0] WEEKDAY MONTH Day Hour:Minute:Second[.subsecond] Year
|  [0] WEEKDAY MONTH Day Hour:Minute:Second Year
|  [0] WEEKDAY MONTH Day Hour:Minute:Second
|  [0] Year/Month/Day Hour:Minute:Second
|  [0] Day/Month/Year Hour:Minute:Second
|  [0] Day/Month/Year2 Hour:Minute:Second
|  [0] Day/MONTH/Year:Hour:Minute:Second
|  [0] Month/Day/Year:Hour:Minute:Second
|  [0] Year-Month-Day Hour:Minute:Second[,subsecond]
|  [0] Year-Month-Day Hour:Minute:Second
|  [0] Year.Month.Day Hour:Minute:Second
|  [0] Day-MONTH-Year Hour:Minute:Second[.Millisecond]
|  [0] Day-Month-Year Hour:Minute:Second
|  [0] Month-Day-Year Hour:Minute:Second[.Millisecond]
|  [0] TAI64N
|  [0] Epoch
|  [0] ISO 8601
|  [0] Hour:Minute:Second
|  [0] <Month/Day/Year@Hour:Minute:Second>
|  [0] YearMonthDay Hour:Minute:Second
|  [0] Month-Day-Year Hour:Minute:Second
`-

Lines: 296708 lines, 0 ignored, 0 matched, 296708 missed

我尝试用 couriertcpd 替换 courier,但没有成功。我不确定我还能做些什么来让它正常工作。

答案1

经过大量搜索,我最终意识到提供的过滤正则表达式是万能的。我不需要它,所以我根据我的具体情况更改了正则表达式。

# OLD
# failregex = ^%(__prefix_line)sLOGIN FAILED, user=.*, ip=\[<HOST>\]$
# NEW
failregex = couriertcpd: LOGIN FAILED, user=.*, ip=\[<HOST>\]$

这很有效,我很高兴能消灭那些害虫。

相关内容