我无法找到与以下行匹配的防错故障2栏:
Apr 19 20:17:12 localhost sm-mta[201892]: ruleset=check_relay, arg1=[12.345.7.789], arg2=12.345.7.789, relay=host.hostname.com [12.345.7.789] (may be forged), reject=421 4.3.2 Connection rate limit exceeded.
Apr 19 20:17:53 localhost sm-mta[201902]: 13JIHpTD201902: [12.345.7.789] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA-v4
以下是相关的故障2板配置:
[Definition]
_daemon = (?:(sm-(mta|acceptingconnections)|sendmail))
__prefix_line = %(known/__prefix_line)s(?:w{14,20}: )?
prefregex = ^<F-MLFID>%(__prefix_line)s</F-MLFID><F-CONTENT>.+</F-CONTENT>$
cmnfailre = ^ruleset=check_relay, arg1=(?P<dom>S+), arg2=(?:IPv6:<IP6>|<IP4>), relay=((?P=dom) )?[(d+.){3}d+](?: (may be forged))?, reject=421 4.3.2 (Connection rate limit exceeded.|Too many open connections.)$
^(?:S+ )?[(?:IPv6:<IP6>|<IP4>)](?: (may be forged))? did not issue (?:[A-Z]{4}[/ ]?)+during connection to (?:TLS)?M(?:TA|S[PA])(?:-w+)?$
我正在使用fail2ban-regex test-mail.log /etc/fail2ban/filter.d/sendmail-reject.conf进行测试
结果:
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [5] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:.Microseconds)?(?: ExYear)?
`-
Lines: 5 lines, 0 ignored, 0 matched, 5 missed
[processed in 0.00 sec]
知道吗?
谢谢!
如果您要通过sendmail-reject监狱设置模式aggressive(在此修复之后,例如v.0.10.6和0.11.2(,则可以找到第二条消息(did not issue MAIL/EXPN/VRFY/ETRN(。
由于对参数的处理不同,第一条消息(rate limit exceeded(确实没有与这种消息完全匹配的确切规则,但是
我现在在github上的f0214b3中修复了这个问题。
除非未发布,否则您可以在过滤器中(从github过滤器复制粘贴(或直接在监狱中进行扩展:
[sendmail-reject]
enabled = true
mode = aggressive
failregex = %(known/failregex)s
^ruleset=check_relay(?:, argd+=S*)*, relay=(S+ )?[?<ADDR>]?(?: (may be forged))?, reject=421 4.3.2 (Connection rate limit exceeded.|Too many open connections.)$"
^(?:S+ )?[<ADDR>](?: (may be forged))? did not issue S+ during connection