Generally speaking you could use a multi-line regex to look for the sequence then ban the offending IP or you could use a single line regex to ban all users for a short amount of time on disconnect and use the recidive jail to ban a large number of disconnects.
On Tue, 2015-09-29 at 14:30 -0700, Gao wrote: > Hello, all > > I have the postfix-sasl jail enabled and it works well against attack, > such as "Failed login". > > I just notified that my email server's maillog flood with this: > ... > Sep 29 14:19:21 szeta postfix/smtpd[19940]: connect from > ns3366447.ip-37-187-77.eu[37.187.77.147] > Sep 29 14:19:22 szeta postfix/smtpd[19940]: lost connection after AUTH > from ns3366447.ip-37-187-77.eu[37.187.77.147] > Sep 29 14:19:22 szeta postfix/smtpd[19940]: disconnect from > ns3366447.ip-37-187-77.eu[37.187.77.147] > Sep 29 14:19:22 szeta postfix/smtpd[20009]: connect from > ns3366447.ip-37-187-77.eu[37.187.77.147] > Sep 29 14:19:22 szeta postfix/smtpd[20009]: lost connection after AUTH > from ns3366447.ip-37-187-77.eu[37.187.77.147] > Sep 29 14:19:22 szeta postfix/smtpd[20009]: disconnect from > ns3366447.ip-37-187-77.eu[37.187.77.147] > Sep 29 14:19:23 szeta postfix/smtpd[19940]: connect from > ns3366447.ip-37-187-77.eu[37.187.77.147] > Sep 29 14:19:23 szeta postfix/smtpd[19940]: lost connection after AUTH > from ns3366447.ip-37-187-77.eu[37.187.77.147] > Sep 29 14:19:23 szeta postfix/smtpd[19940]: disconnect from > ns3366447.ip-37-187-77.eu[37.187.77.147] > Sep 29 14:19:23 szeta postfix/smtpd[20009]: connect from > ns3366447.ip-37-187-77.eu[37.187.77.147] > Sep 29 14:19:24 szeta postfix/smtpd[20009]: lost connection after AUTH > from ns3366447.ip-37-187-77.eu[37.187.77.147] > Sep 29 14:19:24 szeta postfix/smtpd[20009]: disconnect from > ns3366447.ip-37-187-77.eu[37.187.77.147] > ... > > And the fail2ban does nothing about this! No new entry about this in > fail2ban.log. The attack is still going and I am going to manual kill > it in iptables. > > What should I do about this in fail2ban? Please help. > > Thanks. > > Gao > > > ------------------------------------------------------------------------------ > _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users
------------------------------------------------------------------------------
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
