Question FAIL2BAN filters. Any filter for this intrusion by internet search scanners?

[alexk345]

Jan 19 22:49:00 intelligent-mahavira postfix/smtpd[670231]: connection established
Jan 19 22:49:00 intelligent-mahavira postfix/smtpd[670231]: master_notify: status 0
Jan 19 22:49:00 intelligent-mahavira postfix/smtpd[670231]: name_mask: resource
Jan 19 22:49:00 intelligent-mahavira postfix/smtpd[670231]: name_mask: software
Jan 19 22:49:00 intelligent-mahavira postfix/smtpd[670231]: connect from scanner-05.ch1.censys-scanner.com[162.142.125.57]
Jan 19 22:49:00 intelligent-mahavira postfix/smtpd[670231]: match_list_match: scanner-05.ch1.censys-scanner.com: no match
Jan 19 22:49:00 intelligent-mahavira postfix/smtpd[670231]: match_list_match: 162.142.125.57: no match
Jan 19 22:49:00 intelligent-mahavira postfix/smtpd[670231]: match_hostname: smtpd_authorized_xforward_hosts: scanner-05.ch1.censys-scanner.com ~? 12>
Jan 19 22:49:00 intelligent-mahavira postfix/smtpd[670231]: match_hostaddr: smtpd_authorized_xforward_hosts: 162.142.125.57 ~? 127.0.0.0/8
Jan 19 22:49:00 intelligent-mahavira postfix/smtpd[670231]: match_hostname: smtpd_authorized_xforward_hosts: scanner-05.ch1.censys-scanner.com ~? [:>
Jan 19 22:49:00 intelligent-mahavira postfix/smtpd[670231]: match_hostaddr: smtpd_authorized_xforward_hosts: 162.142.125.57 ~? [::1]/128
Jan 19 22:49:00 intelligent-mahavira postfix/smtpd[670231]: match_list_match: scanner-05.ch1.censys-scanner.com: no match
Jan 19 22:49:00 intelligent-mahavira postfix/smtpd[670231]: match_list_match: 162.142.125.57: no match
Jan 19 22:49:00 intelligent-mahavira postfix/smtpd[670231]: smtp_stream_setup: maxtime=3600 enable_deadline=0
Jan 19 22:49:00 intelligent-mahavira postfix/smtpd[670231]: match_list_match: scanner-05.ch1.censys-scanner.com: no match
Jan 19 22:49:00 intelligent-mahavira postfix/smtpd[670231]: match_list_match: 162.142.125.57: no match
Jan 19 22:49:00 intelligent-mahavira postfix/smtpd[670231]: auto_clnt_open: connected to private/anvil

this is all over my syslog.

i dont see any filters in fail2ban.

How do i write filters?

i wrote a regex to capture all of that ip address

push (@matches,$&) while($search_contents =~ /$regex/gm);

Next is i need to find a way to create filter in fail2ban

 

[alexk345]

i am seeing lots of SASL failures in my log files. But postfix-sasl never find any.
So i am testing manually the regex
fail2ban-regex -v /var/log/maillog.processed /etc/fail2ban/filter.d/postfix

This is result i got.

Running tests
=============

Use failregex filter file : postfix, basedir: /etc/fail2ban
Use datepattern : Default Detectors
Use log file : /var/log/maillog.processed
Use encoding : UTF-8


Results
=======

Failregex: 0 total
|- #) [# of hits] regular expression
| 1) [0] ^RCPT from [^[]*\[<HOST>\](?::\d+)?: 55[04] 5\.7\.1\s
| 2) [0] ^RCPT from [^[]*\[<HOST>\](?::\d+)?: 45[04] 4\.7\.1 (?:Service unavailable\b|Client host rejected: cannot find your (reverse )?hostname\b)
| 3) [0] ^RCPT from [^[]*\[<HOST>\](?::\d+)?: 450 4\.7\.1 (<[^>]*>)?: Helo command rejected: Host not found\b
| 4) [0] ^EHLO from [^[]*\[<HOST>\](?::\d+)?: 504 5\.5\.2 (<[^>]*>)?: Helo command rejected: need fully-qualified hostname\b
| 5) [0] ^VRFY from [^[]*\[<HOST>\](?::\d+)?: 550 5\.1\.1\s
| 6) [0] ^RCPT from [^[]*\[<HOST>\](?::\d+)?: 450 4\.1\.8 (<[^>]*>)?: Sender address rejected: Domain not found\b
| 7) [0] ^from [^[]*\[<HOST>\](?::\d+)?:?
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
| [24457] {^LN-BEG}(?AY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
| [0] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T| ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
| [0] {^LN-BEG}(?AY )?MON Day ExYear %k:Minute:Second(?:\.Microseconds)?
| [0] {^LN-BEG}Day(?P<_sep>[-/])Month(?P=_sep)(?:ExYear|ExYear2) %k:Minute:Second
| [0] {^LN-BEG}Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
| [0] {^LN-BEG}Month/Day/ExYear:24hour:Minute:Second
| [0] {^LN-BEG}Month-Day-ExYear %k:Minute:Second(?:\.Microseconds)?
| [0] {^LN-BEG}Epoch
| [0] {^LN-BEG}ExYear2ExMonthExDay ?24hour:Minute:Second
| [0] {^LN-BEG}MON Day, ExYear 12hour:Minute:Second AMPM
| [0] {^LN-BEG}ExYearExMonthExDay(?:T| ?)Ex24hourExMinuteExSecond(?:[.,]Microseconds)?(?:\s*Zone offset)?
| [0] {^LN-BEG}(?:Zone name )?(?AY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
| [0] {^LN-BEG}(?:Zone offset )?(?AY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
| [0] {^LN-BEG}TAI64N
| [0] {^LN-BEG}24hour:Minute:Second
| [0] ^<Month/Day/ExYear2@24hour:Minute:Second>
| [0] ^MON-Day-ExYear2 %k:Minute:Second
`-

Lines: 24457 lines, 0 ignored, 0 matched, 24457 missed
[processed in 1.59 sec]

========================================================= END=======================================

This is sample of maillog.processed

Jan 18 16:06:47 intelligent-mahavira plesk_saslauthd[628869]: failed mail authentication attempt for user 'administrator' (password len=15)
Jan 18 16:06:47 intelligent-mahavira postfix/smtpd[628887]: warning: unknown[193.169.255.111]: SASL LOGIN authentication failed: authentication failure
Jan 18 16:06:47 intelligent-mahavira postfix/smtpd[628887]: lost connection after AUTH from unknown[193.169.255.111]
Jan 18 16:06:47 intelligent-mahavira postfix/smtpd[628887]: disconnect from unknown[193.169.255.111] ehlo=1 auth=0/1 commands=1/2
Jan 18 16:06:49 intelligent-mahavira postfix/smtpd[628887]: connect from unknown[193.169.255.111]
Jan 18 16:06:50 intelligent-mahavira plesk_saslauthd[628869]: failed mail authentication attempt for user 'administrator' (password len=9)
Jan 18 16:06:50 intelligent-mahavira postfix/smtpd[628887]: warning: unknown[193.169.255.111]: SASL LOGIN authentication failed: authentication failure
Jan 18 16:06:50 intelligent-mahavira postfix/smtpd[628887]: lost connection after AUTH from unknown[193.169.255.111]
Jan 18 16:06:50 intelligent-mahavira postfix/smtpd[628887]: disconnect from unknown[193.169.255.111] ehlo=1 auth=0/1 commands=1/2
Jan 18 16:06:50 intelligent-mahavira postfix/smtpd[628887]: connect from unknown[193.169.255.111]
Jan 18 16:06:50 intelligent-mahavira plesk_saslauthd[628869]: failed mail authentication attempt for user 'administrator' (password len=8)
Jan 18 16:06:50 intelligent-mahavira postfix/smtpd[628887]: warning: unknown[193.169.255.111]: SASL LOGIN authentication failed: authentication failure
Jan 18 16:06:51 intelligent-mahavira postfix/smtpd[628887]: lost connection after AUTH from unknown[193.169.255.111]
Jan 18 16:06:51 intelligent-mahavira postfix/smtpd[628887]: disconnect from unknown[193.169.255.111] ehlo=1 auth=0/1 commands=1/2
Jan 18 16:06:51 intelligent-mahavira postfix/smtpd[628887]: connect from unknown[193.169.255.111]
Jan 18 16:06:51 intelligent-mahavira plesk_saslauthd[628869]: failed mail authentication attempt for user 'administrator' (password len=11)
Jan 18 16:06:51 intelligent-mahavira postfix/smtpd[628887]: warning: unknown[193.169.255.111]: SASL LOGIN authentication failed: authentication failure
Jan 18 16:06:51 intelligent-mahavira postfix/smtpd[628887]: lost connection after AUTH from unknown[193.169.255.111]
Jan 18 16:06:51 intelligent-mahavira postfix/smtpd[628887]: disconnect from unknown[193.169.255.111] ehlo=1 auth=0/1 commands=1/2
Jan 18 16:06:52 intelligent-mahavira postfix/smtpd[628887]: connect from unknown[193.169.255.111]
Jan 18 16:06:52 intelligent-mahavira plesk_saslauthd[628869]: failed mail authentication attempt for user 'administrator' (password len=10)
Jan 18 16:06:52 intelligent-mahavira postfix/smtpd[628887]: warning: unknown[193.169.255.111]: SASL LOGIN authentication failed: authentication failure
Jan 18 16:06:52 intelligent-mahavira postfix/smtpd[628887]: lost connection after AUTH from unknown[193.169.255.111]
Jan 18 16:06:52 intelligent-mahavira postfix/smtpd[628887]: disconnect from unknown[193.169.255.111] ehlo=1 auth=0/1 commands=1/2
Jan 18 16:06:52 intelligent-mahavira postfix/smtpd[628887]: connect from unknown[193.169.255.111]
Jan 18 16:06:53 intelligent-mahavira plesk_saslauthd[628869]: failed mail authentication attempt for user 'administrator' (password len=8)
Jan 18 16:06:53 intelligent-mahavira postfix/smtpd[628887]: warning: unknown[193.169.255.111]: SASL LOGIN authentication failed: authentication failure
Jan 18 16:06:53 intelligent-mahavira postfix/smtpd[628887]: lost connection after AUTH from unknown[193.169.255.111]
Jan 18 16:06:53 intelligent-mahavira postfix/smtpd[628887]: disconnect from unknown[193.169.255.111] ehlo=1 auth=0/1 commands=1/2
Jan 18 16:06:53 intelligent-mahavira postfix/smtpd[628887]: connect from unknown[193.169.255.111]
Jan 18 16:06:53 intelligent-mahavira plesk_saslauthd[628869]: failed mail authentication attempt for user 'administrator' (password len=11)
Jan 18 16:06:53 intelligent-mahavira postfix/smtpd[628887]: warning: unknown[193.169.255.111]: SASL LOGIN authentication failed: authentication failure
Jan 18 16:06:54 intelligent-mahavira postfix/smtpd[628887]: lost connection after AUTH from unknown[193.169.255.111]
Jan 18 16:06:54 intelligent-mahavira postfix/smtpd[628887]: disconnect from unknown[193.169.255.111] ehlo=1 auth=0/1 commands=1/2
Jan 18 16:06:54 intelligent-mahavira postfix/smtpd[628887]: connect from unknown[193.169.255.111]
Jan 18 16:06:54 intelligent-mahavira plesk_saslauthd[628869]: failed mail authentication attempt for user 'administrator' (password len=13)
Jan 18 16:06:54 intelligent-mahavira postfix/smtpd[628887]: warning: unknown[193.169.255.111]: SASL LOGIN authentication failed: authentication failure