On 14-09-16 15:28, Marcus Schopen wrote: > Hi, > > I use fail2ban to block smtp auth failures. A few weeks ago a notebook > was infected and after that I saw massiv logins using this account on my > smtp relay from world wide fast changing IPs . Ratelimits on smtp auth > users blocked most of those messages, but before I could close that > account some spam was sent. Therefore I'm looking for a way to figure > out, if successful smtp auth logins are coming in a short period of time > from different IPs, possibly combining with geoip. >
Fail2ban always keeps count based on ip address, so counts from different addresses can never be handled by fail2ban. You should apply this kind of limit using a policy on your MTA. Using postfix, you could write a simple policy daemon that is able to keep track of the number of auth attempts per user (or per user per ip address) over time. See http://www.postfix.org/SMTPD_POLICY_README.html for details. Kind regards, Tom ------------------------------------------------------------------------------ _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
