# Fail2Ban configuration file for IBM Domino SMTP Server TASK to detect failed login attempts # # Author: Christian Brandlehner # # $Revision: 003 $ # # Configuration: # Set the following Domino Server parameters in notes.ini: # console_log_enabled=1 # log_sessions=2 # You also have to use a date and time format supported by fail2ban. Recommended notes.ini configuration is: # DateOrder=DMY # DateSeparator=- # ClockType=24_Hour # TimeSeparator=: # # Depending on your locale you might have to tweak the date and time format so fail2ban can read the log #[INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local #before = common.conf [Definition] # Option: failregex # Notes.: regex to match the password failure messages in the logfile. The # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P\S+) # Values: TEXT # # Sample log entries (used different time formats and an extra sample with process info in front of date) # 01-23-2009 19:54:51 SMTP Server: Authentication failed for user postmaster ; connecting host 1.2.3.4 # [28325:00010-3735542592] 22-06-2014 09:56:12 smtp: postmaster [1.2.3.4] authentication failure using internet password # 08-09-2014 06:14:27 smtp: postmaster [1.2.3.4] authentication failure using internet password # 08-09-2014 06:14:27 SMTP Server: Authentication failed for user postmaster ; connecting host 1.2.3.4 __prefix = (?:\[[^\]]+\])?\s* __opt_data = (?::|\s+\[[^\]]+\]) failregex = ^%(__prefix)sSMTP Server%(__opt_data)s Authentication failed for user .*? \; connecting host \[?\]?$ ^%(__prefix)ssmtp: (?:[^\[]+ )*\[?\]? authentication failure using internet password\s*$ ^%(__prefix)sSMTP Server%(__opt_data)s Connection from \[?\]? rejected for policy reasons\. # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =