I am trying to create a regex condition for the exim filter of Fail2Ban. In my exim log, I have entries like this:
2014-11-27 17:09:05 SMTP connection from [42.117.255.244] (TCP/IP connection count = 1)
2014-11-27 17:09:14 SMTP connection from [118.68.249.18] (TCP/IP connection count = 2)
2014-11-27 17:09:15 SMTP connection from [113.188.85.220] (TCP/IP connection count = 3)
So I need a regex filter which analyzes the exim log, and if TCP/IP connection count > 3, then fail2ban will block that ip for the amount of time specified in fail2ban configuration.
What I have tried so far is something like this:
failregex = ^%(pid)s SMTP connection from \S+ [](:\d+)? (I=[\S+]:\d+ )?(TCP/IP connection count = "\S+")\s*$
but it fails ... I am not any good at regex so I need your help.
Thank you!
Try this.See demo.
http://regex101.com/r/hQ9xT1/10