Ed W wrote:
Lou Duchez wrote:
So any failure at any of the three protocols (SMTP, POP3, IMAP) is
considered a "strike" by all three, and they should all ban the same
guys at the same time. This is as yet untested, but seems like it
should be pretty sound.
I think you only need one service and you can use the iptables-multi
(or something similar) to block all the ports if you get a hit?
Ed W
!!!
Just when I think I've achieved ultimate pefection on this, someone
comes along with a great idea. Thanks!
So I guess we take out the "sasl-iptables" part of jail.conf and replace
it with:
[smtppop3imap]
enabled = true
filter = smtppop3imap
action = iptables-multiport[name=smtppop3imap, port="smtp,pop3,imap",
protocol=tcp]
logpath = /var/log/maillog
ignoreip = 192.168.1.0/24 123.123.123.123/27 234.234.234.234
maxretry = 2
findtime = 1200
bantime = 1200
smtppop3imap.conf is as previously described:
[Definition]
failregex = : warning: [-._\w]+\[<HOST>\]: SASL
(?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
(?: pop3-login|imap-login): (?:Authentication
failure|Aborted login \(auth failed|Disconnected \(auth
failed).*rip=(?P<host>\S*),.*
ignoreregex =
