Fail2Ban regex for EXIM (TCP/IP connection count)
Question
I am trying to create a regex condition for the exim filter of Fail2Ban. In my exim log, I have entries like this:
2014-11-27 17:09:05 SMTP connection from [42.117.255.244] (TCP/IP connection count = 1)
2014-11-27 17:09:14 SMTP connection from [118.68.249.18] (TCP/IP connection count = 2)
2014-11-27 17:09:15 SMTP connection from [113.188.85.220] (TCP/IP connection count = 3)
So I need a regex filter which analyzes the exim log, and if TCP/IP connection count > 3, then fail2ban will block that ip for the amount of time specified in fail2ban configuration.
What I have tried so far is something like this:
failregex = ^%(pid)s SMTP connection from \\S+ [](:\\d+)? (I=[\\S+]:\\d+ )?(TCP/IP connection count = "\\S+")\\s*$
but it fails ... I am not any good at regex so I need your help.
Thank you!
1 answers
solution1
0 2014-11-27 15:34:04
[ \S]+?SMTP connection from \S+? \(TCP\/IP connection count = (?!\b1\b|\b2\b|\b3\b)\d+\)
Try this.See demo.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.