fail2ban, CentOS 5, cPanel, EXIM, regex

failregex = .*\[<HOST>\]:[0-9]+ .*(?:Unrouteable address|rejected)

Or, if You want to replace CPanel CPHULK by fail2ban do that:

/etc/fail2ban/jail.conf

[cpanel-iptables]

enabled  = true
filter   = cpanel
logpath  = /usr/local/cpanel/logs/login_log
action   = iptables-multiport[name=cpanel, port="21,80,443,2082,2083,2095,2096", protocol=tcp]
#           sendmail-whois[name=cpanel, dest=root, sender=fail2ban@example.com]
findtime = 86400
bantime  = 600
maxretry = 5

/etc/fail2ban/filter.d/cpanel.conf

# Fail2Ban configuration file
#
# Author: Widmo

[Definition]
# Option:  failregex
# Notes.:  regex to match the password failure messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT

failregex = ^<HOST>\s\-\s.*\s\[.*\].*\s(FAILED LOGIN)\s.*$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

Save, restart fail2ban:

service fail2ban restart

Done 😉