Hi! Let's say I want to use fail2ban for these kind of log entrys found from mail.log Dec 7 12:14:44 mail postfix/smtpd[10319]: NOQUEUE: reject: RCPT from unknown[95.140.39.181]: 554 5.7.1 Service unavailable; Client host [95.140.39.181] blocked using zen . spamhaus. org; spamhaus.org/sbl/query/SBLCSS / spamhaus. org/sbl/query/SBL379270; from=<kaspar3jetbqkgrosz@ amniotik. com> to=<firstname . lastname@ domain.tld> proto=ESMTP helo=<squeak. healfairys.com> Note that I had to broke/fake some links on this post as otherwise I can't post this topic at all.. I have tried it like this in fail2bans postfix.conf file failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 Service unavailable; Client host \[\S+\] blocked using .* from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>*$ but there is something wrong, as after adding that failregex line fail2ban wont work, restarting service gives this kind of error scan02:/etc/fail2ban/filter.d# /etc/init.d/fail2ban restart Restarting authentication failure monitor: fail2banTraceback (most recent call last): File "/usr/bin/fail2ban-client", line 404, in <module> if client.start(sys.argv): File "/usr/bin/fail2ban-client", line 373, in start return self.__processCommand(args) File "/usr/bin/fail2ban-client", line 183, in __processCommand ret = self.__readConfig() File "/usr/bin/fail2ban-client", line 378, in __readConfig ret = self.__configurator.getOptions() File "/usr/share/fail2ban/client/configurator.py", line 68, in getOptions return self.__jails.getOptions(jail) File "/usr/share/fail2ban/client/jailsreader.py", line 67, in getOptions ret = jail.getOptions() File "/usr/share/fail2ban/client/jailreader.py", line 80, in getOptions self.__filter.getOptions(self.__opts) File "/usr/share/fail2ban/client/filterreader.py", line 61, in getOptions self.__opts = ConfigReader.getOptions(self, "Definition", opts, pOpts) File "/usr/share/fail2ban/client/configreader.py", line 87, in getOptions v = self.get(sec, option[1]) File "/usr/lib/python2.7/ConfigParser.py", line 623, in get return self._interpolate(section, option, value, d) File "/usr/lib/python2.7/ConfigParser.py", line 691, in _interpolate self._interpolate_some(option, L, rawval, section, vars, 1) File "/usr/lib/python2.7/ConfigParser.py", line 723, in _interpolate_some option, section, rest, var) ConfigParser.InterpolationMissingOptionError: Bad value substitution: section: [Definition] option : failregex key : __prefix_line rawval : NOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 Service unavailable; Client host \[\S+\] blocked using .* from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>*$ failed! I don't get it, what I'm doing wrong? fail2ban is running version 0.8.6-3wheezy3 on a Debian system.
Hi !! I have found this code in other forum, it works perfect for me in CentOS 7. I hope it works for you! I put this filter on a Jail blocking all ports, 3600 secconds and 2 hit detection. Are this parameters fine for you? Cheers ! [INCLUDES] before = common.conf [Definition] _daemon = postfix/(submission/)?smtp(d|s) failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$ ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$ ^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[<HOST>\]: 550 5\.1\.1 .*$ ^%(__prefix_line)simproper command pipelining after \S+ from [^[]*\[<HOST>\]:?$ ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 454 4\.7\.1 .*$ ignoreregex = [Init] journalmatch = _SYSTEMD_UNIT=postfix.service
