# By default, no number of offenses are allowable

# Lighten up a little for home boys
MAX_OFFENSES 5 {
   COUNTRY= US
}

# GeoIP doesn't know the location of every IP address
MAX_OFFENSES 3 {
   COUNTRY= unknown
   IP= 46.20.2.158
}

# This is effectively your whitelist
MAX_OFFENSES 1000 {

# me from home, CIDR notation
   IP= 35.133.139.132/20

# Some user
   IP= 173.236.196.36
}

LOGTYPE syslog {

   DIR= /var/log
   PREFIX= syslog

#Nov 23 10:08:03 srv auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=john rhost=35.133.128.47  user=john
#   REGEX= pam_unix\(dovecot:auth\): authentication failure;.*rhost=([0-9.]+)
   REGEX= pam_unix\(dovecot:auth\): authentication failure;.*rhost=([0-9.a-f:]+)

# Nov 23 16:16:12 srv dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 0 secs): user=<dfloyd>, rip=69.64.58.110, lip=50.116.38.131, session=<5nY6CgqYFdVFQDpu>
#   REGEX=  pop3-login: Aborted.*, rip=([0-9.]+)
   REGEX=  pop3-login: Aborted.*, rip=([0-9.a-f:]+)

# Nov 23 16:33:53 srv dovecot: pop3-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=71.6.135.131, lip=50.116.38.131, session=<DXWCSQqYjopHBoeD>
#   REGEX=  pop3-login: Disconnected.*, rip=([0-9.]+)
   REGEX=  pop3-login: Disconnected.*, rip=([0-9.a-f:]+)
}

LOGTYPE auth {
   DIR= /var/log
   PREFIX= auth.log

# imapd[20193]= Login failed user=hollingsworth@robertsonoptical.com auth=hollingsworth@robertsonoptical.com host=[186.179.170.12]
#   REGEX= imapd.*Login failed.*\[([0-9.]+)\]$
   REGEX= imapd.*Login failed.*\[([0-9.a-f:]+)\]$

# sshd[6165]= Failed password for invalid user user from 185.224.137.201 port 44865 ssh2
#   REGEX= sshd.*Failed password.*from ([0-9.]+) port [0-9]+ ssh2$
   REGEX= sshd.*Failed password.*from ([0-9.a-f:]+) port [0-9]+ ssh2$

# Unable to negotiate with 193.188.22.188 port ...
#   REGEX= Unable to negotiate with ([0-9.]+) port
   REGEX= Unable to negotiate with ([0-9.a-f:]+) port

# in.qpopper[14962]= pam_unix(qpopper=auth)= authentication failure; logname= uid=0 euid=0 tty=96.89.83.1 
# TODO: this can be retired around 2019-12-10
   REGEX= in\.qpopper.*authentication failure.*tty=([0-9.]+)
}

LOGTYPE exim4 {

   DIR= /var/log/exim4
   PREFIX= mainlog

# cram_md5_server authenticator failed for ([78.128.113.121]) [78.128.113.121]
# cram_md5_server authenticator failed for (swim.diverseenvironment.com.) [185.211.245.198]
#   REGEX= [[:alnum:]_]+ authenticator failed for .*\[([0-9.]+)\]
   REGEX= [[:alnum:]_]+ authenticator failed for .*\[([0-9.a-f:]+)\]

# 2019-11-15 00:08:25 SMTP protocol error in "AUTH LOGIN" H=(User) [193.56.28.176] LOGIN authentication mechanism not supported
#   REGEX= \[([0-9.]+)\] [[:alnum:]_]+ authentication mechanism not supported
   REGEX= \[([0-9.a-f:]+)\] [[:alnum:]_]+ authentication mechanism not supported

# 2019-11-20 03:44:51 1iXLbX-0000ZX-F8 <= kirsten@rrci.com H=(rrci.com) [171.244.140.160] P=esmtpa A=cram_md5_server:kirsten S=2742 id=9857581066.20191120084450@rrci.com
# 2019-11-20 18:21:15 1iXZHe-0002fZ-W8 <= kirsten@rrci.com H=035-133-139-132.res.spectrum.com ([192.168.1.29]) [35.133.139.132] P=esmtpsa X=TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128 CV=no A=plain_server:kirsten S=703 id=e8478681-4fc5-75d8-7328-52f534956d65@rrci.com
#   REGEX= \[([0-9.]+)\].*A=[[:alnum:]_]+_server:
   REGEX= \[([0-9.a-f:]+)\].*A=[[:alnum:]_]+_server:

#  [185.234.217.241] (gnutls_handshake): No supported cipher suites have been found.
#   REGEX= \[([0-9.]+)\].*No supported cipher suites have been found
   REGEX= \[([0-9.a-f:]+)\].*No supported cipher suites have been found

}