Merge pull request #3502 from fail2ban/gh-3497

filter.d/exim.conf: fixes "dropped: too many ..." regex (also matches unrecognized commands)

3 files changed, 6 insertions, 1 deletions

diff --git a/ChangeLog b/ChangeLog
index daf185ab..9085fcae 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -20,6 +20,7 @@ ver. 1.0.3-dev-1 (20??/??/??) - development nightly edition
   if available for platform and uses DNS to find local IPv6 as a fallback only
 * improve `ignoreself` by considering all local addresses from network interfaces additionally to IPs from hostnames (gh-3132)
 * `action.d/mikrotik.conf` - new action for mikrotik routerOS, adds and removes entries from address lists on the router (gh-2860)
+* `filter.d/exim.conf` - fixed "dropped: too many ..." regex, also matching unrecognized commands now (gh-3502)
 * `filter.d/nginx-forbidden.conf` - new filter to ban forbidden locations, e. g. using `deny` directive (gh-2226)
 
 
diff --git a/config/filter.d/exim.conf b/config/filter.d/exim.conf
index 6a8c12c5..1f0c3d82 100644
--- a/config/filter.d/exim.conf
+++ b/config/filter.d/exim.conf
@@ -20,7 +20,7 @@ failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|
             ^%(pid)s \w+ authenticator failed for (?:[^\[\( ]* )?(?:\(\S*\) )?\[<HOST>\](?::\d+)?(?: I=\[\S+\](:\d+)?)?: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$
             ^%(pid)s %(host_info)srejected RCPT [^@]+@\S+: (?:relay not permitted|Sender verify failed|Unknown user|Unrouteable address)\s*$
             ^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (?:connection from|"\S+") %(host_info)s(?:next )?input=".*"\s*$
-            ^%(pid)s SMTP call from (?:[^\[\( ]* )?%(host_info)sdropped: too many (?:nonmail commands|syntax or protocol errors) \(last (?:command )?was "[^"]*"\)\s*$
+            ^%(pid)s SMTP call from (?:[^\[\( ]* )?%(host_info)sdropped: too many (?:(?:nonmail|unrecognized) commands|syntax or protocol errors)
             ^%(pid)s SMTP protocol error in "[^"]+(?:"+[^"]*(?="))*?" %(host_info)sAUTH command used when not advertised\s*$
             ^%(pid)s no MAIL in SMTP connection from (?:[^\[\( ]* )?(?:\(\S*\) )?%(host_info)sD=\d\S*s(?: C=\S*)?\s*$
             ^%(pid)s (?:[\w\-]+ )?SMTP connection from (?:[^\[\( ]* )?(?:\(\S*\) )?%(host_info)sclosed by DROP in ACL\s*$
diff --git a/fail2ban/tests/files/logs/exim b/fail2ban/tests/files/logs/exim
index e88f06ef..04a47af7 100644
--- a/fail2ban/tests/files/logs/exim
+++ b/fail2ban/tests/files/logs/exim
@@ -22,6 +22,10 @@
 2013-06-02 09:22:05 [19591] SMTP call from pc012-6201.spo.scu.edu.tw [163.14.21.161]:3767 I=[1.2.3.4]:25 dropped: too many nonmail commands (last was "RSET")
 # failJSON: { "time": "2013-06-02T09:22:06", "match": true , "host": "192.0.2.109" }
 2013-06-02 09:22:06 SMTP call from [192.0.2.109] dropped: too many syntax or protocol errors (last command was "AUTH LOGIN")
+# failJSON: { "time": "2013-06-02T09:22:07", "match": true , "host": "192.0.2.109", "desc": "unrecognized commands, gh-3497" }
+2013-06-02 09:22:07 SMTP call from [192.0.2.109] dropped: too many unrecognized commands (last was "\033%-12345X")
+# failJSON: { "time": "2013-06-02T09:22:08", "match": true , "host": "192.0.2.109", "desc": "additional suffix at end, gh-3497" }
+2013-06-02 09:22:08 SMTP call from xxx.example.com [192.0.2.109] dropped: too many syntax or protocol errors (last command was "\300\024?\234?\235?/?5\300\022?",  C=EHLO)
 # failJSON: { "time": "2013-06-02T15:06:18", "match": true , "host": "46.20.35.114" }
 2013-06-02 15:06:18 H=(VM-WIN2K3-1562) [46.20.35.114] sender verify fail for <usfh@technological-systems.com>: Unknown user
 # failJSON: { "time": "2013-06-07T02:02:09", "match": true , "host": "91.232.21.92" }