Fail2Ban regex for EXIM (TCP/IP connection count)

1.2k views Asked by At

I am trying to create a regex condition for the exim filter of Fail2Ban. In my exim log, I have entries like this:

2014-11-27 17:09:05 SMTP connection from [42.117.255.244] (TCP/IP connection count = 1)

2014-11-27 17:09:14 SMTP connection from [118.68.249.18] (TCP/IP connection count = 2)

2014-11-27 17:09:15 SMTP connection from [113.188.85.220] (TCP/IP connection count = 3)

So I need a regex filter which analyzes the exim log, and if TCP/IP connection count > 3, then fail2ban will block that ip for the amount of time specified in fail2ban configuration.

What I have tried so far is something like this:

failregex = ^%(pid)s SMTP connection from \S+ [](:\d+)? (I=[\S+]:\d+ )?(TCP/IP connection count = "\S+")\s*$

but it fails ... I am not any good at regex so I need your help.

Thank you!

1

There are 1 answers

7
vks On
[ \S]+?SMTP connection from \S+? \(TCP\/IP connection count = (?!\b1\b|\b2\b|\b3\b)\d+\)

Try this.See demo.

http://regex101.com/r/hQ9xT1/10