Fail2ban config typo? Or am I missing something?

fail2ban uses this for exim:
[exim-iptables]
enabled = true
filter = exim
action = hestia[name=MAIL]
logpath = /var/log/exim4/mainlog

exim filter uses this regex:
failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$ ^%(pid)s \w+ authenticator failed for (?:[^[( ]* )?(?:(\S*) )?[](?::\d+)?(?: I=[\S+](:\d+)?)?: 535 Incorrect authentication data( (set_id=.)|: \d+ Time(s))?\s$ ^%(pid)s %(host_info)srejected RCPT [^@]+@\S+: (?:relay not permitted|Sender verify failed|Unknown user|Unrouteable address)\s*$ ^%(pid)s SMTP protocol synchronization error ([^)]): rejected (?:connection from|"\S+") %(host_info)s(?:next )?input="."\s*$ ^%(pid)s SMTP call from (?:[^[( ]* )?%(host_info)sdropped: too many (?:nonmail commands|syntax or protocol errors) (last (?:command )?was “[^”]")\s$ ^%(pid)s SMTP protocol error in “[^”]+(?:"+[^"](?="))?" %(host_info)sAUTH command used when not advertised\s*$ ^%(pid)s no MAIL in SMTP connection from (?:[^[( ]* )?(?:(\S*) )?%(host_info)sD=\d\Ss(?: C=\S)?\s*$ ^%(pid)s (?:[\w-]+ )?SMTP connection from (?:[^[( ]* )?(?:(\S*) )?%(host_info)sclosed by DROP in ACL\s*$ <mdre-> mdre-aggressive = ^%(pid)s no host name found for IP address $ ^%(pid)s no IP address found for host \S+ (during SMTP connection from [])$

That regex is not in mainlog but reject log. So should’t exim in f2b be:
[exim-iptables]
enabled = true
filter = exim
action = hestia[name=MAIL]
logpath = /var/log/exim4/rejectlog

?? or am I missing something

In both reject and mainlog are rejects being logged:

2021-09-10 19:45:11 End queue run: pid=3458860
2021-09-10 19:45:19 dovecot_login authenticator failed for (User) [87.246.7.212]: 535 Incorrect authentication data (set_id=dezhou@xxxx)
2021-09-10 19:45:31 dovecot_login authenticator failed for (User) [87.246.7.212]: 535 Incorrect authentication data (set_id=dezhou@xxx)
2021-09-10 19:45:34 dovecot_login authenticator failed for (User) [212.70.149.71]: 535 Incorrect authentication data (set_id=stf@xx)

So it seems to be fine

Dovcot has its own config in fail2ban. My mainlog has the queue and stuff logging but no logins of any type. Dovcot is in its own log and exim in rejectlog.

Could a software package have altered a configuration file to have changed something. If so do you have an idea where I should look?

In filter.d/exim

# Fail2Ban filter for exim
#
# This includes the rejection messages of exim. For spam and filter
# related bans use the exim-spam.conf
#


[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# exim-common.local
before = exim-common.conf

[Definition]

# Fre-filter via "prefregex" is currently inactive because of too different failure syntax in exim-log (testing needed):
#prefregex = ^%(pid)s <F-CONTENT>\b(?:\w+ authenticator failed|([\w\-]+ )?SMTP (?:(?:call|connection) from|protocol(?: synchronization)? error)|no MAIL in|(?:%(host_info_pre)s\[[^\]]+\]%(host_info_suf)s(?:sender verify fail|rejected RCPT|dropped|AUTH command))).+</F-CONTENT>$

failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$
            ^%(pid)s \w+ authenticator failed for (?:[^\[\( ]* )?(?:\(\S*\) )?\[<HOST>\](?::\d+)?(?: I=\[\S+\](:\d+)?)?: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$
            ^%(pid)s %(host_info)srejected RCPT [^@]+@\S+: (?:relay not permitted|Sender verify failed|Unknown user|Unrouteable address)\s*$
            ^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (?:connection from|"\S+") %(host_info)s(?:next )?input=".*"\s*$
            ^%(pid)s SMTP call from (?:[^\[\( ]* )?%(host_info)sdropped: too many (?:nonmail commands|syntax or protocol errors) \(last (?:command )?was "[^"]*"\)\s*$
            ^%(pid)s SMTP protocol error in "[^"]+(?:"+[^"]*(?="))*?" %(host_info)sAUTH command used when not advertised\s*$
            ^%(pid)s no MAIL in SMTP connection from (?:[^\[\( ]* )?(?:\(\S*\) )?%(host_info)sD=\d\S*s(?: C=\S*)?\s*$
            ^%(pid)s (?:[\w\-]+ )?SMTP connection from (?:[^\[\( ]* )?(?:\(\S*\) )?%(host_info)sclosed by DROP in ACL\s*$
            <mdre-<mode>>

mdre-aggressive = ^%(pid)s no host name found for IP address <HOST>$
                  ^%(pid)s no IP address found for host \S+ \(during SMTP connection from \[<HOST>\]\)$

mdre-normal = 

# Parameter `mode` - `normal` or `aggressive`.
# Aggressive mode can be used to match flood and ddos-similar log-entries like:
#   'no host found for IP', 'no IP found for host'.
# Note this is not an authentication failures, so it may produce lots of false 
# positives on misconfigured MTAs.
# Ex.:
#   filter = exim[mode=aggressive]
mode = normal

ignoreregex = 

# DEV Notes:
# The %(host_info) defination contains a <HOST> match
#
# SMTP protocol synchronization error \([^)]*\)  <- This needs to be non-greedy
# to void capture beyond ")" to avoid a DoS Injection vulnerabilty as input= is
# user injectable data.
#
# Author: Cyril Jaquier
#         Daniel Black (rewrote with strong regexs)
#         Martin O'Neal (added additional regexs to detect authentication failures, protocol errors, and drops)

Ty for the help. I actually found the problem in system log. I think it’s a change from the log monitoring software installed. Now it’s logging to the correct log

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.