Fail2Ban regex for EXIM (TCP/IP connection count)

Question

Fail2Ban regex for EXIM (TCP/IP connection count)

1.1k views Asked by Bogdan Stoica At 23 November 2024 at 15:40

I am trying to create a regex condition for the exim filter of Fail2Ban. In my exim log, I have entries like this:

2014-11-27 17:09:05 SMTP connection from [42.117.255.244] (TCP/IP connection count = 1)

2014-11-27 17:09:14 SMTP connection from [118.68.249.18] (TCP/IP connection count = 2)

2014-11-27 17:09:15 SMTP connection from [113.188.85.220] (TCP/IP connection count = 3)

So I need a regex filter which analyzes the exim log, and if TCP/IP connection count > 3, then fail2ban will block that ip for the amount of time specified in fail2ban configuration.

What I have tried so far is something like this:

failregex = ^%(pid)s SMTP connection from \S+ [](:\d+)? (I=[\S+]:\d+ )?(TCP/IP connection count = "\S+")\s*$

but it fails ... I am not any good at regex so I need your help.

Thank you!

Original Q&A

There are 1 answers

**vks** · Answer 1 · 2014-11-27 15:34:04

vks On 27 November 2014 at 15:34

[ \S]+?SMTP connection from \S+? \(TCP\/IP connection count = (?!\b1\b|\b2\b|\b3\b)\d+\)

Try this.See demo.

http://regex101.com/r/hQ9xT1/10

TechQA.

Fail2Ban regex for EXIM (TCP/IP connection count)

There are 1 answers

Related Questions in REGEX

Related Questions in EXIM

Related Questions in FAIL2BAN

Popular Questions

Popular Tags

Trending Questions