Your welcome. On Wed, 2015-09-30 at 10:29 -0700, Gao wrote: > Thnaks. Added the maxlines and now looks good: > > > [root@szeta ~]# > fail2ban-regex /var/log/maillog-20150928 > /etc/fail2ban/filter.d/postfix-auth.conf > > Running tests > ============= > > Use failregex filter file : postfix-auth, basedir: /etc/fail2ban > Use maxlines : 10 > Use log file : /var/log/maillog-20150928 > Use encoding : UTF-8 > > > Results > ======= > > Failregex: 311 total > |- #) [# of hits] regular expression > | 1) [260] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d > +\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s > +[\[\(]?postfix/(submission/)?smtp(d|s)(?:\(\S > +\))?[\]\)]?:?|[\[\(]?postfix/(submission/)?smtp(d|s)(?:\(\S > +\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*lost connection > after AUTH from (.*)\[<HOST>\] > | 2) [49] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] > )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s > +[\[\(]?postfix/(submission/)?smtp(d|s)(?:\(\S > +\))?[\]\)]?:?|[\[\(]?postfix/(submission/)?smtp(d|s)(?:\(\S > +\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*lost connection > after EHLO from (.*)\[<HOST>\] > | 3) [2] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] > )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s > +[\[\(]?postfix/(submission/)?smtp(d|s)(?:\(\S > +\))?[\]\)]?:?|[\[\(]?postfix/(submission/)?smtp(d|s)(?:\(\S > +\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*lost connection > after UNKNOWN from (.*)\[<HOST>\] > `- > > Ignoreregex: 0 total > > Date template hits: > |- [# of hits] date format > | [10623] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: > Year)? > `- > > Lines: 10623 lines, 0 ignored, 311 matched, 10312 missed [processed in > 1.44 sec] > Missed line(s): too many to print. Use --print-all-missed to print > all 10312 lines > > > > > On 15-09-30 10:05 AM, Harrison Johnson wrote: > > > > > In the [Init] section of the filter file add a line: > > maxlines = 10 > > this sets up a buffer of 10 lines from the log file change the > > number as needed. Now your failregex will match to those lines. > > On Wed, 2015-09-30 at 09:14 -0700, Gao wrote: > > > > > After another look of the maillog, I see there are also at least another > > > attack like this, instead of AUTH, there are EHLO, RCPT, UNKNOWN, > > > STARTTLS and CONNECT, among these, EHLO is for sure anther attack. The > > > others does not have many attempts in a short period. > > > > > > May be I should make it a wildcard in the filter. But I don't want block > > > the normal user by mistake. > > > > > > Now, I set findtime=120 and maxretry=5. Also the filter now is like this: > > > > > > failregex = ^%(__prefix_line)slost connection after AUTH from > > > (.*)\[<HOST>\] > > > ^%(__prefix_line)slost connection after EHLO from > > > (.*)\[<HOST>\] > > > ^%(__prefix_line)slost connection after UNKNOWN from > > > (.*)\[<HOST>\] > > > > > > > > > Gao > > > > > > > > > > > > > > > > > > > > > On 15-09-30 04:42 AM, Nick Howitt wrote: > > > > I think it can be pretty bad behaviour if you get too many attempts too > > > > quickly. I've seen over 1000 in 24h from a single IP. I generally see > > > > nothing but every now and then someone has a go and it is a bit > > > > irritating. > > > > > > > > I also had one IP doing about 6 attempts an hour for days until I > > > > spotted it and blocked it. I was blocking 10 occurrences in an hour but > > > > dropped it to 5 an hour to combat the IP. > > > > > > > > On 2015-09-30 12:08, Darac Marjal wrote: > > > >> On Tue, Sep 29, 2015 at 02:30:47PM -0700, Gao wrote: > > > >>> Hello, all > > > >>> > > > >>> I have the postfix-sasl jail enabled and it works well against attack, > > > >>> such as > > > >>> "Failed login". > > > >>> > > > >>> I just notified that my email server's maillog flood with this: > > > >>> ... > > > >>> Sep 29 14:19:21 szeta postfix/smtpd[19940]: connect from > > > >>> ns3366447.ip-37-187-77.eu[37.187.77.147] > > > >>> Sep 29 14:19:22 szeta postfix/smtpd[19940]: lost connection after AUTH > > > >>> from > > > >>> ns3366447.ip-37-187-77.eu[37.187.77.147] > > > >>> Sep 29 14:19:22 szeta postfix/smtpd[19940]: disconnect from > > > >>> ns3366447.ip-37-187-77.eu[37.187.77.147] > > > >> "Lost connection after AUTH" means that postfix sent "AUTH" to the > > > >> client, and the client disconnected. In other words, the client > > > >> probably > > > >> attempted some action which you've configured that only authorized > > > >> users > > > >> can perform (usually, this is something like sending mail to a > > > >> different > > > >> serveer (relaying)). Postfix said "authorize yourself in order to > > > >> perform this action", and the client just dropped the connection > > > >> (rather > > > >> than cleanly quitting and waiting for postfix to close the conecction). > > > >> > > > >> In other words, no authorization was attempted. > > > >> > > > >> I suspect that fail2ban doesn't block this normally because it's not > > > >> really bad behaviour. It's akin to someone connecting to your SSH port > > > >> and disconnecting upon finding that it's asking for a password :) > > > >> > > > >>> ... > > > >>> > > > >>> And the fail2ban does nothing about this! No new entry about this in > > > >>> fail2ban.log. The attack is still going and I am going to manual kill > > > >>> it in > > > >>> iptables. > > > >>> > > > >>> What should I do about this in fail2ban? Please help. > > > >>> > > > >>> Thanks. > > > >>> > > > >>> Gao > > > >>> > > > >>> ------------------------------------------------------------------------------ > > > >>> _______________________________________________ > > > >>> Fail2ban-users mailing list > > > >>> [email protected] > > > >>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > >> > > > >> ------------------------------------------------------------------------------ > > > >> > > > >> _______________________________________________ > > > >> Fail2ban-users mailing list > > > >> [email protected] > > > >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > > ------------------------------------------------------------------------------ > > > > _______________________________________________ > > > > Fail2ban-users mailing list > > > > [email protected] > > > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > > > > > > > ------------------------------------------------------------------------------ > > > _______________________________________________ > > > Fail2ban-users mailing list > > > [email protected] > > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > > > >
------------------------------------------------------------------------------
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
