On Fri, 07 Nov 2008 07:38:03 -0500, Sam Varshavchik <[EMAIL PROTECTED]> wrote: > It's all one line. It should be fairly simple to grep syslog for > "User * unknown", then grab the IP address, and ban it.
Fail2ban is perfect for that... Here is the couriersmtp filter I created: serveur:/etc/fail2ban/filter.d# cat couriersmtp.conf # Fail2Ban configuration file # # Author: Jerome Blion # # $Revision: 1 $ # [Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching. # Values: TEXT # failregex = error,relay=<HOST>,.*: (511|550|554|513) # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = Then ban the IP for 1-2h... HTH. Jerome Blion. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
