Hi Harrison, I see you suggest a multi-line regex but I'd love to know how. I posted a few weeks ago but got no response. The issue I had was trying to pick up the same <HOST> on each line. To do a multi-line regex with a single instance of <HOST> was OK but I could not find a way to make sure multiple lines had the same <HOST>.
@Geo, I'll post again when I'm home, but I pick up more messages than just AUTH (RCPT, STARTTLS, EHLO etc) to respond to multiple events I've seen. Nick On 2015-09-29 23:05, Harrison Johnson wrote: > Generally speaking you could use a multi-line regex to look for the > sequence then ban the offending IP or you could use a single line > regex to ban all users for a short amount of time on disconnect and > use the recidive jail to ban a large number of disconnects. > > On Tue, 2015-09-29 at 14:30 -0700, Gao wrote: > Hello, all > > I have the postfix-sasl jail enabled and it works well against > attack, such as "Failed login". > > I just notified that my email server's maillog flood with this: > ... > Sep 29 14:19:21 szeta postfix/smtpd[19940]: connect from > ns3366447.ip-37-187-77.eu[37.187.77.147] > Sep 29 14:19:22 szeta postfix/smtpd[19940]: lost connection after > AUTH from ns3366447.ip-37-187-77.eu[37.187.77.147] > Sep 29 14:19:22 szeta postfix/smtpd[19940]: disconnect from > ns3366447.ip-37-187-77.eu[37.187.77.147] > Sep 29 14:19:22 szeta postfix/smtpd[20009]: connect from > ns3366447.ip-37-187-77.eu[37.187.77.147] > Sep 29 14:19:22 szeta postfix/smtpd[20009]: lost connection after > AUTH from ns3366447.ip-37-187-77.eu[37.187.77.147] > Sep 29 14:19:22 szeta postfix/smtpd[20009]: disconnect from > ns3366447.ip-37-187-77.eu[37.187.77.147] > Sep 29 14:19:23 szeta postfix/smtpd[19940]: connect from > ns3366447.ip-37-187-77.eu[37.187.77.147] > Sep 29 14:19:23 szeta postfix/smtpd[19940]: lost connection after > AUTH from ns3366447.ip-37-187-77.eu[37.187.77.147] > Sep 29 14:19:23 szeta postfix/smtpd[19940]: disconnect from > ns3366447.ip-37-187-77.eu[37.187.77.147] > Sep 29 14:19:23 szeta postfix/smtpd[20009]: connect from > ns3366447.ip-37-187-77.eu[37.187.77.147] > Sep 29 14:19:24 szeta postfix/smtpd[20009]: lost connection after > AUTH from ns3366447.ip-37-187-77.eu[37.187.77.147] > Sep 29 14:19:24 szeta postfix/smtpd[20009]: disconnect from > ns3366447.ip-37-187-77.eu[37.187.77.147] > ... > > And the fail2ban does nothing about this! No new entry about this in > fail2ban.log. The attack is still going and I am going to manual kill > it in iptables. > > What should I do about this in fail2ban? Please help. > > Thanks. > > Gao > > ------------------------------------------------------------------------------ > _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users [1] > > > > Links: > ------ > [1] https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > ------------------------------------------------------------------------------ > > _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users ------------------------------------------------------------------------------ _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
