Let me see If I can find a example, after I get some caffeine. On Wed, 2015-09-30 at 08:08 +0100, Nick Howitt wrote:
> Hi Harrison, > I see you suggest a multi-line regex but I'd love to know how. I posted > a few weeks ago but got no response. The issue I had was trying to pick > up the same <HOST> on each line. To do a multi-line regex with a single > instance of <HOST> was OK but I could not find a way to make sure > multiple lines had the same <HOST>. > > @Geo, > I'll post again when I'm home, but I pick up more messages than just > AUTH (RCPT, STARTTLS, EHLO etc) to respond to multiple events I've seen. > > Nick > > On 2015-09-29 23:05, Harrison Johnson wrote: > > Generally speaking you could use a multi-line regex to look for the > > sequence then ban the offending IP or you could use a single line > > regex to ban all users for a short amount of time on disconnect and > > use the recidive jail to ban a large number of disconnects. > > > > On Tue, 2015-09-29 at 14:30 -0700, Gao wrote: > > Hello, all > > > > I have the postfix-sasl jail enabled and it works well against > > attack, such as "Failed login". > > > > I just notified that my email server's maillog flood with this: > > ... > > Sep 29 14:19:21 szeta postfix/smtpd[19940]: connect from > > ns3366447.ip-37-187-77.eu[37.187.77.147] > > Sep 29 14:19:22 szeta postfix/smtpd[19940]: lost connection after > > AUTH from ns3366447.ip-37-187-77.eu[37.187.77.147] > > Sep 29 14:19:22 szeta postfix/smtpd[19940]: disconnect from > > ns3366447.ip-37-187-77.eu[37.187.77.147] > > Sep 29 14:19:22 szeta postfix/smtpd[20009]: connect from > > ns3366447.ip-37-187-77.eu[37.187.77.147] > > Sep 29 14:19:22 szeta postfix/smtpd[20009]: lost connection after > > AUTH from ns3366447.ip-37-187-77.eu[37.187.77.147] > > Sep 29 14:19:22 szeta postfix/smtpd[20009]: disconnect from > > ns3366447.ip-37-187-77.eu[37.187.77.147] > > Sep 29 14:19:23 szeta postfix/smtpd[19940]: connect from > > ns3366447.ip-37-187-77.eu[37.187.77.147] > > Sep 29 14:19:23 szeta postfix/smtpd[19940]: lost connection after > > AUTH from ns3366447.ip-37-187-77.eu[37.187.77.147] > > Sep 29 14:19:23 szeta postfix/smtpd[19940]: disconnect from > > ns3366447.ip-37-187-77.eu[37.187.77.147] > > Sep 29 14:19:23 szeta postfix/smtpd[20009]: connect from > > ns3366447.ip-37-187-77.eu[37.187.77.147] > > Sep 29 14:19:24 szeta postfix/smtpd[20009]: lost connection after > > AUTH from ns3366447.ip-37-187-77.eu[37.187.77.147] > > Sep 29 14:19:24 szeta postfix/smtpd[20009]: disconnect from > > ns3366447.ip-37-187-77.eu[37.187.77.147] > > ... > > > > And the fail2ban does nothing about this! No new entry about this in > > fail2ban.log. The attack is still going and I am going to manual kill > > it in iptables. > > > > What should I do about this in fail2ban? Please help. > > > > Thanks. > > > > Gao > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > > Fail2ban-users mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users [1] > > > > > > > > Links: > > ------ > > [1] https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > > ------------------------------------------------------------------------------ > > > > _______________________________________________ > > Fail2ban-users mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users
------------------------------------------------------------------------------
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
