Re: [spamdyke-users] Fail2ban integration

[Gary Gendel via spamdyke-users]

Sam,

Thanks.  I'll let you know how it goes.

Gary

On 07/25/2016 09:58 AM, Sam Clippinger via spamdyke-users wrote:
spamdyke won't log the IP in its current version, but it wouldn't be 
hard to add.  If you want a quick'n'dirty solution right away, you can 
add it very easily... just edit exec.c and change line 206 to this:
SPAMDYKE_LOG_VERBOSE(current_settings, LOG_VERBOSE_AUTH_FAILURE "%s 
%s", username, current_settings->server_ip);
Then recompile and replace the spamdyke binary with the new copy. 
 Once it's in place, the "authentication failure" messages should show 
the IP address right after the username, separated by a space.  (NOTE: 
I haven't compiled or tested this change, proceed with caution...)


-- Sam Clippinger




On Jul 22, 2016, at 6:17 PM, Gary Gendel via spamdyke-users 
> wrote:



Sam,

Is there a way to get spamdyke to log invalid authorizations in a 
manner that fail2ban can use?  My host has been hit continuously with 
brute-force attacks.  Unfortunately, the logs only have:


Jul 22 18:54:43 tardis spamdyke[26727]: [ID 702911 mail.info] 
FILTER_AUTH_REQUIRED
Jul 22 18:54:50 tardis spamdyke[26727]: [ID 702911 mail.info] 
ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure 
(bad username/password, vchkpw uses this to indicate SMTP access is 
not allowed): verizon
Jul 22 18:56:01 tardis spamdyke[26727]: [ID 702911 mail.info] 
ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The 
operation failed due to an I/O error, Unexpected EOF found
Jul 22 18:57:16 tardis spamdyke[26736]: [ID 702911 mail.info] 
FILTER_AUTH_REQUIRED
Jul 22 18:57:23 tardis spamdyke[26736]: [ID 702911 mail.info] 
ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure 
(bad username/password, vchkpw uses this to indicate SMTP access is 
not allowed): verizon
Jul 22 18:58:37 tardis spamdyke[26736]: [ID 702911 mail.info] 
ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The 
operation failed due to an I/O error, Unexpected EOF found
Jul 22 18:59:59 tardis spamdyke[26743]: [ID 702911 mail.info] 
FILTER_AUTH_REQUIRED
Jul 22 19:00:10 tardis spamdyke[26743]: [ID 702911 mail.info] 
ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure 
(bad username/password, vchkpw uses this to indicate SMTP access is 
not allowed): verizon
Jul 22 19:01:21 tardis spamdyke[26743]: [ID 702911 mail.info] 
ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The 
operation failed due to an I/O error, Unexpected EOF found
Jul 22 19:02:32 tardis spamdyke[26876]: [ID 702911 mail.info] 
FILTER_AUTH_REQUIRED
Jul 22 19:02:38 tardis spamdyke[26876]: [ID 702911 mail.info] 
ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure 
(bad username/password, vchkpw uses this to indicate SMTP access is 
not allowed): verizon
Jul 22 19:03:50 tardis spamdyke[26876]: [ID 702911 mail.info] 
ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The 
operation failed due to an I/O error, Unexpected EOF found
\Jul 22 19:05:11 tardis spamdyke[26891]: [ID 702911 mail.info] 
FILTER_AUTH_REQUIRED
Jul 22 19:05:16 tardis spamdyke[26891]: [ID 702911 mail.info] 
ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure 
(bad username/password, vchkpw uses this to indicate SMTP access is 
not allowed): verizon


They seem to have a huge list of account names to try and I've got 
thousands of attempts just for today.  Unfortunately, without any IP 
address in the message I can't have fail2ban automatically block these.


Gary


___
spamdyke-users mailing list
spamdyke-users@spamdyke.org 
http://www.spamdyke.org/mailman/listinfo/spamdyke-users




___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users





smime.p7s
Description: S/MIME Cryptographic Signature
___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users

Re: [spamdyke-users] Fail2ban integration

[Sam Clippinger via spamdyke-users]

spamdyke won't log the IP in its current version, but it wouldn't be hard to 
add.  If you want a quick'n'dirty solution right away, you can add it very 
easily... just edit exec.c and change line 206 to this:
SPAMDYKE_LOG_VERBOSE(current_settings, LOG_VERBOSE_AUTH_FAILURE "%s 
%s", username, current_settings->server_ip);
Then recompile and replace the spamdyke binary with the new copy.  Once it's in 
place, the "authentication failure" messages should show the IP address right 
after the username, separated by a space.  (NOTE: I haven't compiled or tested 
this change, proceed with caution...)

-- Sam Clippinger




On Jul 22, 2016, at 6:17 PM, Gary Gendel via spamdyke-users 
 wrote:

> Sam,
> 
> Is there a way to get spamdyke to log invalid authorizations in a manner that 
> fail2ban can use?  My host has been hit continuously with brute-force 
> attacks.  Unfortunately, the logs only have:
> 
> Jul 22 18:54:43 tardis spamdyke[26727]: [ID 702911 mail.info] 
> FILTER_AUTH_REQUIRED
> Jul 22 18:54:50 tardis spamdyke[26727]: [ID 702911 mail.info] 
> ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure (bad 
> username/password, vchkpw uses this to indicate SMTP access is not allowed): 
> verizon
> Jul 22 18:56:01 tardis spamdyke[26727]: [ID 702911 mail.info] 
> ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The 
> operation failed due to an I/O error, Unexpected EOF found
> Jul 22 18:57:16 tardis spamdyke[26736]: [ID 702911 mail.info] 
> FILTER_AUTH_REQUIRED
> Jul 22 18:57:23 tardis spamdyke[26736]: [ID 702911 mail.info] 
> ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure (bad 
> username/password, vchkpw uses this to indicate SMTP access is not allowed): 
> verizon
> Jul 22 18:58:37 tardis spamdyke[26736]: [ID 702911 mail.info] 
> ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The 
> operation failed due to an I/O error, Unexpected EOF found
> Jul 22 18:59:59 tardis spamdyke[26743]: [ID 702911 mail.info] 
> FILTER_AUTH_REQUIRED
> Jul 22 19:00:10 tardis spamdyke[26743]: [ID 702911 mail.info] 
> ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure (bad 
> username/password, vchkpw uses this to indicate SMTP access is not allowed): 
> verizon
> Jul 22 19:01:21 tardis spamdyke[26743]: [ID 702911 mail.info] 
> ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The 
> operation failed due to an I/O error, Unexpected EOF found
> Jul 22 19:02:32 tardis spamdyke[26876]: [ID 702911 mail.info] 
> FILTER_AUTH_REQUIRED
> Jul 22 19:02:38 tardis spamdyke[26876]: [ID 702911 mail.info] 
> ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure (bad 
> username/password, vchkpw uses this to indicate SMTP access is not allowed): 
> verizon
> Jul 22 19:03:50 tardis spamdyke[26876]: [ID 702911 mail.info] 
> ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The 
> operation failed due to an I/O error, Unexpected EOF found
> \Jul 22 19:05:11 tardis spamdyke[26891]: [ID 702911 mail.info] 
> FILTER_AUTH_REQUIRED
> Jul 22 19:05:16 tardis spamdyke[26891]: [ID 702911 mail.info] 
> ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure (bad 
> username/password, vchkpw uses this to indicate SMTP access is not allowed): 
> verizon
> 
> They seem to have a huge list of account names to try and I've got thousands 
> of attempts just for today.  Unfortunately, without any IP address in the 
> message I can't have fail2ban automatically block these.
> 
> Gary
> 
> 
> ___
> spamdyke-users mailing list
> spamdyke-users@spamdyke.org
> http://www.spamdyke.org/mailman/listinfo/spamdyke-users

___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users

Re: [spamdyke-users] Fail2ban integration

[Angus McIntyre via spamdyke-users]

What log file are those messages from? Are they from '/var/log/maillog'?

If so, you might look at /var/log/qmail/smtp/current to see if it offers 
anything you can use. On my system, spamdyke lines in that log include:


origin_ip: 1.2.3.4

so if these attacks cause text to be written to that file -- and the 
signature is sufficiently distinctive -- then perhaps fail2ban could 
leverage that.


Angus

On 2016-07-22 19:17, Gary Gendel via spamdyke-users wrote:

Sam,

Is there a way to get spamdyke to log invalid authorizations in a
manner that fail2ban can use?  My host has been hit continuously with
brute-force attacks.  Unfortunately, the logs only have:

Jul 22 18:54:43 tardis spamdyke[26727]: [ID 702911 mail.info]
FILTER_AUTH_REQUIRED
Jul 22 18:54:50 tardis spamdyke[26727]: [ID 702911 mail.info]
ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure
(bad username/password, vchkpw uses this to indicate SMTP access is
not allowed): verizon
Jul 22 18:56:01 tardis spamdyke[26727]: [ID 702911 mail.info]
ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The
operation failed due to an I/O error, Unexpected EOF found
Jul 22 18:57:16 tardis spamdyke[26736]: [ID 702911 mail.info]
FILTER_AUTH_REQUIRED
Jul 22 18:57:23 tardis spamdyke[26736]: [ID 702911 mail.info]
ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure
(bad username/password, vchkpw uses this to indicate SMTP access is
not allowed): verizon
Jul 22 18:58:37 tardis spamdyke[26736]: [ID 702911 mail.info]
ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The
operation failed due to an I/O error, Unexpected EOF found
Jul 22 18:59:59 tardis spamdyke[26743]: [ID 702911 mail.info]
FILTER_AUTH_REQUIRED
Jul 22 19:00:10 tardis spamdyke[26743]: [ID 702911 mail.info]
ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure
(bad username/password, vchkpw uses this to indicate SMTP access is
not allowed): verizon
Jul 22 19:01:21 tardis spamdyke[26743]: [ID 702911 mail.info]
ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The
operation failed due to an I/O error, Unexpected EOF found
Jul 22 19:02:32 tardis spamdyke[26876]: [ID 702911 mail.info]
FILTER_AUTH_REQUIRED
Jul 22 19:02:38 tardis spamdyke[26876]: [ID 702911 mail.info]
ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure
(bad username/password, vchkpw uses this to indicate SMTP access is
not allowed): verizon
Jul 22 19:03:50 tardis spamdyke[26876]: [ID 702911 mail.info]
ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The
operation failed due to an I/O error, Unexpected EOF found
\Jul 22 19:05:11 tardis spamdyke[26891]: [ID 702911 mail.info]
FILTER_AUTH_REQUIRED
Jul 22 19:05:16 tardis spamdyke[26891]: [ID 702911 mail.info]
ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure
(bad username/password, vchkpw uses this to indicate SMTP access is
not allowed): verizon

They seem to have a huge list of account names to try and I've got
thousands of attempts just for today.  Unfortunately, without any IP
address in the message I can't have fail2ban automatically block
these.

Gary


___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users

___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users

[spamdyke-users] Fail2ban integration

[Gary Gendel via spamdyke-users]

Sam,

Is there a way to get spamdyke to log invalid authorizations in a manner 
that fail2ban can use?  My host has been hit continuously with 
brute-force attacks.  Unfortunately, the logs only have:


Jul 22 18:54:43 tardis spamdyke[26727]: [ID 702911 mail.info] 
FILTER_AUTH_REQUIRED
Jul 22 18:54:50 tardis spamdyke[26727]: [ID 702911 mail.info] 
ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure (bad 
username/password, vchkpw uses this to indicate SMTP access is not 
allowed): verizon
Jul 22 18:56:01 tardis spamdyke[26727]: [ID 702911 mail.info] 
ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The 
operation failed due to an I/O error, Unexpected EOF found
Jul 22 18:57:16 tardis spamdyke[26736]: [ID 702911 mail.info] 
FILTER_AUTH_REQUIRED
Jul 22 18:57:23 tardis spamdyke[26736]: [ID 702911 mail.info] 
ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure (bad 
username/password, vchkpw uses this to indicate SMTP access is not 
allowed): verizon
Jul 22 18:58:37 tardis spamdyke[26736]: [ID 702911 mail.info] 
ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The 
operation failed due to an I/O error, Unexpected EOF found
Jul 22 18:59:59 tardis spamdyke[26743]: [ID 702911 mail.info] 
FILTER_AUTH_REQUIRED
Jul 22 19:00:10 tardis spamdyke[26743]: [ID 702911 mail.info] 
ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure (bad 
username/password, vchkpw uses this to indicate SMTP access is not 
allowed): verizon
Jul 22 19:01:21 tardis spamdyke[26743]: [ID 702911 mail.info] 
ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The 
operation failed due to an I/O error, Unexpected EOF found
Jul 22 19:02:32 tardis spamdyke[26876]: [ID 702911 mail.info] 
FILTER_AUTH_REQUIRED
Jul 22 19:02:38 tardis spamdyke[26876]: [ID 702911 mail.info] 
ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure (bad 
username/password, vchkpw uses this to indicate SMTP access is not 
allowed): verizon
Jul 22 19:03:50 tardis spamdyke[26876]: [ID 702911 mail.info] 
ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The 
operation failed due to an I/O error, Unexpected EOF found
\Jul 22 19:05:11 tardis spamdyke[26891]: [ID 702911 mail.info] 
FILTER_AUTH_REQUIRED
Jul 22 19:05:16 tardis spamdyke[26891]: [ID 702911 mail.info] 
ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure (bad 
username/password, vchkpw uses this to indicate SMTP access is not 
allowed): verizon


They seem to have a huge list of account names to try and I've got 
thousands of attempts just for today.  Unfortunately, without any IP 
address in the message I can't have fail2ban automatically block these.


Gary


___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users