Hallo,
ich nutze fail2ban unter anderem auf einer Mailmaschine in Verbindung
mit den Postfix-Logfiles.
Ich nutze fail2ban in der Standardeinstellung, d.h. ich habe an den
Regelwerken keine eigenen Modifikationen vorgenommen.
Dummerweise werden solche Mails:
Jan 23 22:09:10 mailserver postfix/smtpd[19224]: NOQUEUE: reject: RCPT
from unknown[193.36.210.234]: 450 4.7.1 Client host rejected: cannot
find your hostname, [193.36.210.234]; from=<> to=<i...@meinedomain.de>
proto=ESMTP helo=<faithcure.hevi.okopsrqoel.eu>
trotz mehrfachem Auftreten in wenigen Sekunden nicht geblockt.
Vorschläge ?
cat /etc/fail2ban/filter.d/postfix-blacklist.conf
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 510 $
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag
"<HOST>" can
# be used for standard IP/hostname matching and is only an
alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
# NOQUEUE: reject: RCPT from
port-92-192-50-245.dynamic.qsc.de[92.192.50.245]: 554 5.7.1 Service
unavailable; Client host [92.192.50.245] blocked using xbl.spamhaus.org;
http://www.spamhaus.org/query/bl?ip=92.192.50.245;
from=<qhnomenclat...@crystalfigurines.net>
to=<thisisjusttestlet...@lotusmarmotte.de> proto=ESMTP
helo=<port-92-192-50-245.dynamic.qsc.de>
# Feb 18 12:10:55 server5 postfix/smtpd[15352]: NOQUEUE: reject: RCPT
from unknown[117.194.40.81]: 504 5.5.2 <HPUBKYS>: Helo command rejected:
need fully-qualified hostname; from=<functio...@homebiznine.com>
to=<webmas...@pronetcom.de> proto=ESMTP helo=<HPUBKYS>
failregex = reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1 Service
unavailable; Client host \[(.*)\] blocked
reject: RCPT from (.*)\[<HOST>\]: 504 5.5.2 <(.*)>: Helo
command rejected: need fully-qualified hostname
#failregex = 554 5.7.1 Service unavailable; Client host \[<HOST>\] blocked
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
******************************************************************************
cat /etc/fail2ban/filter.d/postfix.conf
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision$
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag
"<HOST>" can
# be used for standard IP/hostname matching and is only an
alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
_daemon = postfix/smtpd
failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]:
554 5\.7\.1 .*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
gruß
Sebastian
------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
