On 15-09-29 03:05 PM, Harrison Johnson wrote:
Generally speaking you could use a multi-line regex to look for the sequence then ban the offending IP or you could use a single line regex to ban all users for a short amount of time on disconnect and use the recidive jail to ban a large number of disconnects.
OK, Here is what I did to stop this attack. I created a new filter: [root@szeta fail2ban]# cat filter.d/postfix-auth.conf [INCLUDES] before = common.conf [Definition] _daemon = postfix/(submission/)?smtp(d|s) failregex = ^%(__prefix_line)slost connection after AUTH from (.*)\[<HOST>\] ignoreregex = [Init] journalmatch = _SYSTEMD_UNIT=postfix.service Then enables the jail in jail.local [postfix-auth] enabled = true port = smtp,465,submission,imap3,imaps,pop3,pop3s logpath = %(syslog_mail)s action = %(action_mwl)s bantime = 604800 findtime = 600 maxretry = 5 Restart fail2ban. Then I got the alert mail: Hi, The IP 37.187.77.147 has just been banned by Fail2Ban after 1736 attempts against postfix-auth. Thank you for the help. Gao
------------------------------------------------------------------------------
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
