邮件清洁器- Fail2ban -mc-exim-过滤器配置

Question

我在一个工作非常好的邮件清理服务器上使用Fail2ban，但是我想更新它以禁止那些想要欺骗我们地址的主机。我使用的是“原始”，但我不太明白正则表达式是如何工作的。

下面是日志中的一个示例：

2021-02-26 00:02:37 H=([77.31.53.117]) [77.31.53.117] F=our@address.com rejected RCPT our@address.com: This domain does not accept mail from itself (spoofing)

我尝试了许多基于已经存在的failregexes的组合，但是它不想禁止攻击者。

有人能帮忙吗？

Answer 1

谢谢!这是可行的，但攻击者已经停止攻击我们。所以我不得不用一个在线的假邮件(https://emkei.cz/)来产生问题，但是这样日志消息发生了一点变化，而Fail2ban并没有禁止IP。

2021-03-03 08:57:20 H=emkei.cz (localhost) [93.99.104.210] X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no F=<test@address.com> rejected RCPT <testelek3@address.com: This domain does not accept mail from itself (spoofing)

是否需要更改regex以适应此日志消息？我想我应该把它改为“H=x”结尾和"F=“开头之间出现的任何东西，而这一点不应该改变。

Answer 2

我使用自己的规则：

[Definition]
failregex = \[<HOST>\]: 535 Incorrect authentication data
            no host name found for IP address <HOST>
            rejected because <HOST>
            rejected HELO from (.*)\[<HOST>\]
            rejected EHLO from (.*)\[<HOST>\]
            unqualified verify rejected: (.*)\[<HOST>\]
            SMTP command timeout on connection from (.*)\[<HOST>\]
            SMTP syntax error (.*)\[<HOST>\]
            TLS error on connection from (.*)\[<HOST>\]
            \[<HOST>\] dropped: too many unrecognized commands
            \[<HOST>\] unrecognized command
            \[<HOST>\] sender verify fail for
            \[<HOST>\] (.*)failed to find host name from IP address
            \[<HOST>\] (.*)Unknown user
            \[<HOST>\] (.*)relay not permitted
            synchronization error (.*)\[<HOST>\]
            \[<HOST>\] (.*)rejected after DATA
ignoreregex =