On 13-04-16 00:03, [email protected] wrote:
> I have a postfix postqueue Amavis filter set up to do A/V scanning.
>
> Right now, it's configured to DISCARD virus-tagged content.
>
> It works as far as detection and discard goes.
>
> I want to run fail2ban over the Postfix logs to identify the IP of the Virus
> sender, and set a firewall block for awhile.
>
> But if you look at the log for the postqueue filter's rejection message at
> postscreen, it does NOT have the IP address.
>
> Other log lines have it, but not the one reject message.
>
> Apr 11 04:24:08 mail01 postfix/postscreen[7312]: CONNECT from
> [104.44.131.209]:1024 to [192.0.1.17]:25
> Apr 11 04:24:14 mail01 postfix/postscreen[7312]: PASS NEW
> [104.44.131.209]:1024
> Apr 11 04:24:14 mail01 postfix/psint/smtpd[7319]: connect from
> ldoquy20.cloudapp.net[104.44.131.209]
> Apr 11 04:24:15 mail01 postfix/psint/smtpd[7319]: NOQUEUE:
> client=ldoquy20.cloudapp.net[104.44.131.209]
> Apr 11 04:24:15 mail01 postfix/postqreturn/smtpd[7326]: connect from
> localhost[127.0.0.1]
> Apr 11 04:24:15 mail01 postfix/postqreturn/smtpd[7326]:
> 4ql0LCJHvGz3J39: client=localhost[127.0.0.1]
> Apr 11 04:24:15 mail01 postfix/cleanup[7327]: 4ql0LCJHvGz3J39:
> message-id=<[email protected]>
> Apr 11 04:24:16 mail01 postfix/qmgr[20856]: 4ql0LCJHvGz3J39:
> from=<[email protected]>, size=3301, nrcpt=1 (queue active)
>>> Apr 11 04:24:16 mail01 postfix/psint/smtpd[7319]: proxy-accept:
>>> END-OF-MESSAGE: 250 2.7.0 Ok, discarded, id=06097-01 - INFECTED:
>>> Porcupine.Malware.36603.UNOFFICIAL; from=<[email protected]>
>>> to=<[email protected]> proto=ESMTP helo=<ldoquy20.cloudapp.net>
> Apr 11 04:24:16 mail01 postfix/psint/smtpd[7319]: disconnect from
> ldoquy20.cloudapp.net[104.44.131.209] ehlo=1 mail=1 rcpt=1 data=1 quit=1
> commands=5
>
> This is different than the other postfix log messages that show a REJECT.
> They have the IP address and I can act on it directly in a fail2ban-detected
> line.
>
> How do I reliably get the fail2ban actionable IP out of this one line match ,
> and into a filter?
There is no ip address, so you can't. You're accepting-then-discarding
the message, so I'm assuming you don't want to let the sender know that
you detected the virus. But then there's no reason to block the sender
for subsequent deliveries in your firewall either, as the sender will
notice that too (depending on the sender noticing actually anything
you're doing, which is questionable when it's a spammer).
If the REJECT log message does have an ip address in the response, I
suggest start using that.
Regards,
Tom
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
