5/5 - (1 vote)

The fail2ban utility is a popular password protection tool. The principle of operation is relatively simple and effective: if a large number of authorization errors are recorded from a host for a short time, then this host is blocked for a while. Additionally, is included the ability to easily add support for new services and a large set of presets.

A definite drawback is the fact that many presets are either outdated or designed for the default log format, and don’t work with the log formats offered by the maintainers of popular distributions. An example of such a service is MTA Exim, the logs of which have not complied with the rules in the fail2ban suite for several years. Here is an example of a fail2ban configuration with support for the current MTA Exim log format.

We will do everything described below on a server running Ubuntu 18.04 LTS with MTA Exim. First, install fail2ban:

apt install fail2ban

Then create the file “/etc/fail2ban/filter.d/exim-new.conf”, with the following contents:

[INCLUDES]
before = exim-common.conf

[Definition]

failregex = SMTP syntax error in \".+\" H=\[<HOST>\] NULL character\(s\) present \(shown as \'\?\'\)*$
            authenticator failed for (?:[^\[\( ]* )?(?:\(\S*\) )?\[<HOST>\](?::\d+)?(?: I=\[\S+\](:\d+)?)?: 535 Incorrect authentication data \(set_id=.*\).*$
            SMTP protocol error in \"[^"]*\" H=\([^)]*\) \[<HOST>\] \w+ authentication mechanism not supported
            SMTP protocol synchronization error \([^)]*\): rejected (?:connection from|"\S+") %(host_info)s(?:next )?input=".*"\s*$
            %(host_info)srejected RCPT [^@]+@\S+: (?:relay not permitted|Sender verify failed|Unknown user|Unrouteable address)\s*$


mode = normal

ignoreregex = 

Here are not only direct attempts to search, but also attempts to send mail to non-existent addresses. The reason for this is quite simple, although not entirely obvious: instead of sorting a large number of login + password pairs, the cracker goes through the recipients, compiling a database of potential logins and then can purposefully select passwords for them.

Alternatively, you can configure a trap (“catchmail”), which collects all letters for nonexistent mailboxes in one single mailbox. But about this we will talk some other time.

You can test the template with the command:

This command will show how many times which regular expression worked on the specified log. Of course, test is not on an empty log. After making sure that regular expressions work, go to the inclusion of our new filter. We create the file “/etc/fail2ban/jail.local” if it does not already exist and add the following lines to it:

[exim-new]
port   = smtp,465,submission
logpath = %(exim_main_log)s
enabled = true
bantime = 6h
findtime = 15m

After that, restart fail2ban:

systemctl restart fail2ban

You can view the lists of banned addresses and general statistics for our filter with the command:

fail2ban-client status exim-new