Sam Varshavchik wrote: > Jerome Blion writes: >> On Fri, 07 Nov 2008 07:38:03 -0500, Sam Varshavchik >> <[EMAIL PROTECTED]> >> wrote: >>> It's all one line. It should be fairly simple to grep syslog for >>> "User * unknown", then grab the IP address, and ban it.
User unknown can also be captured from a catchall script, i.e. synchronously rather than parsing log files. >> Fail2ban is perfect for that... >> Here is the couriersmtp filter I created: >> [...] >> failregex = error,relay=<HOST>,.*: (511|550|554|513) Most (all?) of those are originated via the addiovec_error() function. Thus we know they are sent with LOG_INFO priority. > That's probably an overkill to ban an IP because of a single error. You > really want to trigger an IP ban after 4-5 consecutive errors. That seems fair. The above regex would also capture "550 Rejected - see DNSBL" stuff, which I don't think deserve being blocked at the firewall. Jerome, what regex do you use for imap/pop3/webmail? I'd recommend something like failregex = LOGIN FAILED, user=\S* ip=\[<HOST>] While SMTP features a smart tarpit, login failures have a lone sleep(5); depending on MAXDAEMONS (and MAXPERIP) that may allow a good deal of retries. The latter log lines also come at LOG_INFO priority. Since logging is being used for interprocess communication purposes, would it make sense to document that the LOG_INFO priority is where info relevant for the firewall is being logged? Parsing just those lines may save some cycles... ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
