I thought f2b >= 0.9 could now do a multi-line match so you could pick up on the NOQUEUE message and the REJECT message but, at a guess, you'd need to match the process ID between the two messages to make sure the messages are connected.
Don't ask me how to do a multi-line match as I've no idea. I've just seen the release notes. Nick On 2016-04-13 08:28, Tom Hendrikx wrote: > On 13-04-16 00:03, [email protected] wrote: >> I have a postfix postqueue Amavis filter set up to do A/V scanning. >> >> Right now, it's configured to DISCARD virus-tagged content. >> >> It works as far as detection and discard goes. >> >> I want to run fail2ban over the Postfix logs to identify the IP of the >> Virus sender, and set a firewall block for awhile. >> >> But if you look at the log for the postqueue filter's rejection >> message at postscreen, it does NOT have the IP address. >> >> Other log lines have it, but not the one reject message. >> >> Apr 11 04:24:08 mail01 postfix/postscreen[7312]: CONNECT from >> [104.44.131.209]:1024 to [192.0.1.17]:25 >> Apr 11 04:24:14 mail01 postfix/postscreen[7312]: PASS NEW >> [104.44.131.209]:1024 >> Apr 11 04:24:14 mail01 postfix/psint/smtpd[7319]: connect from >> ldoquy20.cloudapp.net[104.44.131.209] >> Apr 11 04:24:15 mail01 postfix/psint/smtpd[7319]: NOQUEUE: >> client=ldoquy20.cloudapp.net[104.44.131.209] >> Apr 11 04:24:15 mail01 postfix/postqreturn/smtpd[7326]: connect from >> localhost[127.0.0.1] >> Apr 11 04:24:15 mail01 postfix/postqreturn/smtpd[7326]: >> 4ql0LCJHvGz3J39: client=localhost[127.0.0.1] >> Apr 11 04:24:15 mail01 postfix/cleanup[7327]: 4ql0LCJHvGz3J39: >> message-id=<[email protected]> >> Apr 11 04:24:16 mail01 postfix/qmgr[20856]: 4ql0LCJHvGz3J39: >> from=<[email protected]>, size=3301, nrcpt=1 (queue >> active) >>>> Apr 11 04:24:16 mail01 postfix/psint/smtpd[7319]: proxy-accept: >>>> END-OF-MESSAGE: 250 2.7.0 Ok, discarded, id=06097-01 - INFECTED: >>>> Porcupine.Malware.36603.UNOFFICIAL; >>>> from=<[email protected]> to=<[email protected]> >>>> proto=ESMTP helo=<ldoquy20.cloudapp.net> >> Apr 11 04:24:16 mail01 postfix/psint/smtpd[7319]: disconnect from >> ldoquy20.cloudapp.net[104.44.131.209] ehlo=1 mail=1 rcpt=1 data=1 >> quit=1 commands=5 >> >> This is different than the other postfix log messages that show a >> REJECT. They have the IP address and I can act on it directly in a >> fail2ban-detected line. >> >> How do I reliably get the fail2ban actionable IP out of this one line >> match , and into a filter? > > There is no ip address, so you can't. You're accepting-then-discarding > the message, so I'm assuming you don't want to let the sender know that > you detected the virus. But then there's no reason to block the sender > for subsequent deliveries in your firewall either, as the sender will > notice that too (depending on the sender noticing actually anything > you're doing, which is questionable when it's a spammer). > > If the REJECT log message does have an ip address in the response, I > suggest start using that. > > Regards, > Tom > > ------------------------------------------------------------------------------ > Find and fix application performance issues faster with Applications > Manager > Applications Manager provides deep performance insights into multiple > tiers of > your business applications. It resolves application problems quickly > and > reduces your MTTR. Get your free trial! > https://ad.doubleclick.net/ddm/clk/302982198;130105516;z > _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users ------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
