fail2ban exim auth failure rule doesn't work
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| fail2ban (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
Bug Description
The following rule - setup by default in fail2ban - to match failed exim4 authentication attempts doesn't ever match a real log entry:
^%(pid)s \w+ authenticator failed for (\S+ )?\(\S+\) \[<HOST>
After trying it with fail2ban's own regex tester it always fails to match. I instead use a simpler rule:
\[<HOST>\]: 535 Incorrect authentication data
This needs to be fixed. Users naturally assume the default rules work, and even if they investigate the config it would appear to be valid. Only testing shows that the rule fails. How many users have a false sense of security because of this?
I haven't tested the other rules listed in "/etc/fail2ban/
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: fail2ban 0.9.3-1
ProcVersionSign
Uname: Linux 4.4.0-66-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.5
Architecture: amd64
Date: Thu Mar 16 22:35:32 2017
PackageArchitec
ProcEnviron:
TERM=xterm
PATH=(custom, no user)
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: fail2ban
UpgradeStatus: Upgraded to xenial on 2016-08-30 (197 days ago)
mtime.conffile.
| James Swift (swiftscripts) wrote | #1 |
| Seth Arnold (seth-arnold) wrote | #2 |
| information type: | Private Security → Public |
| James Swift (swiftscripts) wrote | #3 |
Hi James, if you're in a position to be able to prepare updates it could be released via the SRU process. For more information please see https:/
Thanks