Skip to content

Commit

Permalink
final <HOST> to <ADDR> conversion
Browse files Browse the repository at this point in the history
  • Loading branch information
@bes-internal
bes-internal committed Mar 22, 2024
1 parent 5ecc26d commit 806a27c
Show file tree
Hide file tree
Showing 4 changed files with 14 additions and 10 deletions.
2 changes: 1 addition & 1 deletion config/filter.d/exim-common.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,4 +38,4 @@ pid = (?: \[\d+\]| \w+ exim\[\d+\]:)?
# Daniel Black (rewrote with strong regexs)
# Sergey G. Brester aka sebres (optimization, rewrite to prefregex, reviews)
# Martin O'Neal (added additional regexs to detect authentication failures, protocol errors, and drops)
# Varlamov Vladimir (host line definition)
# Vladimir Varlamov (host line definition)
2 changes: 1 addition & 1 deletion config/filter.d/exim-spam.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,4 +45,4 @@ honeypot = [email protected]

# DEV Notes
# -----------
# The %(host_info) definition contains a <HOST> match. No space before. See exim-common.conf
# The %(host_info) definition contains a <ADDR> match. No space before. See exim-common.conf
6 changes: 3 additions & 3 deletions config/filter.d/exim.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,8 @@ failregex = ^%(pid)s%(host_info)s sender verify fail for <\S+>: (?:Unknown user|
^%(pid)s (?:[\w\-]+ )?SMTP connection from%(host_info)s closed by DROP in ACL\s*$
<mdre-<mode>>

mdre-aggressive = ^%(pid)s no host name found for IP address <HOST>$
^%(pid)s no IP address found for host \S+ \(during SMTP connection from \[<HOST>\]\)$
mdre-aggressive = ^%(pid)s no host name found for IP address <ADDR>$
^%(pid)s no IP address found for host \S+ \(during SMTP connection from%(host_info)s\)$

mdre-normal =

Expand All @@ -44,7 +44,7 @@ ignoreregex =

# DEV Notes
# -----------
# The %(host_info) definition contains a <HOST> match. No space before. See exim-common.conf
# The %(host_info) definition contains a <ADDR> match. No space before. See exim-common.conf
#
# SMTP protocol synchronization error \([^)]*\) <- This needs to be non-greedy
# to void capture beyond ")" to avoid a DoS Injection vulnerability as input= is
Expand Down
14 changes: 9 additions & 5 deletions fail2ban/tests/files/logs/exim
View file
Original file line number Diff line number Diff line change
Expand Up @@ -93,21 +93,25 @@
# failJSON: { "time": "2017-11-28T14:14:32", "match": true , "host": "192.0.2.6", "desc": "quoted injecting on AUTH command" }
2017-11-28 14:14:32 SMTP protocol error in "aUtH lOgIn" H=(test) [8.8.8.8]" H=(roxzgj) [192.0.2.6] AUTH command used when not advertised

# failJSON: { "time": "2024-03-21T19:26:06", "match": true , "host": "194.169.175.1" }
2024-03-21 19:26:06 dovecot_login authenticator failed for (User) [194.169.175.1]:21298 I=[22.33.44.55]:465 Ci=30416: 535 Incorrect authentication data ([email protected])
# failJSON: { "time": "2024-03-21T09:18:51", "match": true , "host": "9.12.1.21" }
2024-03-21 09:18:51 H=m05.horp.tld [9.12.1.21]:43030 I=[194.169.175.2]:25 Ci=7326 CV=no SNI=mail.leone.tld F=<[email protected]> rejected RCPT <[email protected]>: relay not permitted

## no matches with `mode = normal`:

# failJSON: { "match": false , "desc": "aggressive mode only" }
2017-12-03 08:32:00 no host name found for IP address 192.0.2.8
# failJSON: { "match": false , "desc": "aggressive mode only" }
2017-12-03 08:51:35 no IP address found for host test.example.com (during SMTP connection from [192.0.2.9])
# failJSON: { "match": false , "desc": "aggressive mode only" }
2022-04-03 21:53:53 no IP address found for host hos-t.example.tld (during SMTP connection from [63.85.123.6]:49390 I=[31.130.202.17]:25)

# filterOptions: [{"mode": "aggressive"}]

# failJSON: { "time": "2017-12-03T08:32:00", "match": true , "host": "192.0.2.8", "desc": "no host found for IP" }
2017-12-03 08:32:00 no host name found for IP address 192.0.2.8
# failJSON: { "time": "2017-12-03T08:51:35", "match": true , "host": "192.0.2.9", "desc": "no IP found for host" }
2017-12-03 08:51:35 no IP address found for host test.example.com (during SMTP connection from [192.0.2.9])

# failJSON: { "time": "2024-03-21T19:26:06", "match": true , "host": "194.169.175.1" }
2024-03-21 19:26:06 dovecot_login authenticator failed for (User) [194.169.175.1]:21298 I=[22.33.44.55]:465 Ci=30416: 535 Incorrect authentication data ([email protected])
# failJSON: { "time": "2024-03-21T09:18:51", "match": true , "host": "9.12.1.21" }
2024-03-21 09:18:51 H=m05.horp.tld [9.12.1.21]:43030 I=[194.169.175.2]:25 Ci=7326 CV=no SNI=mail.leone.tld F=<[email protected]> rejected RCPT <[email protected]>: relay not permitted
# failJSON: { "time": "2022-04-03T21:53:53", "match": true , "host": "63.85.123.6", "desc": "no IP found for host long" }
2022-04-03 21:53:53 no IP address found for host hos-t.example.tld (during SMTP connection from [63.85.123.6]:49390 I=[31.130.202.17]:25)

0 comments on commit 806a27c

Please sign in to comment.