Hi all I wish to create a filter in fail2ban to filter the following string. Code: warning: hostname domain.tld does not resolve to address ***.***.***.***: Name or service not known I have added the necessary info to the /etc/fail2ban/jail.local, and have created the necessary file in /etc/fail2ban/filter.d I simply don't understand how the create/format the regex information. The odject is to have F2B ban such connections the same as it does failed authentication attempts. Regards Fred
Experiment with regex tester, like https://www.regextester.com/94338 Fail2ban documentation has instructions on testing the regular expressions.
Thank you for that. However I am now very confused. I first tested the sasl authentication regex that is kown to function as expected and I get no matches. Code: ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|$ or warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|$ Test string Code: Jun 5 01:05:17 mx postfix/smtpd[5462]: warning: unknown[77.247.110.208]: SASL LOGIN authentication failed: Clearly I am doing something wrong. But yet again I find myself in the position where knowledge is assumed, and I simply don't have it to start with. Regards Fred
Now that I'm on a full sized screen, it's clear what you posted there is incomplete, the full line from postfix-sasl.conf is: Code: failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]*={0,2})?\s*$