Hi Tom, thanks for your time!
Am Mittwoch, den 14.09.2016, 17:13 +0200 schrieb Tom Hendrikx: > > On 14-09-16 15:28, Marcus Schopen wrote: > > Hi, > > > > I use fail2ban to block smtp auth failures. A few weeks ago a notebook > > was infected and after that I saw massiv logins using this account on my > > smtp relay from world wide fast changing IPs . Ratelimits on smtp auth > > users blocked most of those messages, but before I could close that > > account some spam was sent. Therefore I'm looking for a way to figure > > out, if successful smtp auth logins are coming in a short period of time > > from different IPs, possibly combining with geoip. > > > > Fail2ban always keeps count based on ip address, so counts from > different addresses can never be handled by fail2ban. You should apply > this kind of limit using a policy on your MTA. I understand. > Using postfix, you could write a simple policy daemon that is able to > keep track of the number of auth attempts per user (or per user per ip > address) over time. See http://www.postfix.org/SMTPD_POLICY_README.html > for details. It's sendmail ;) Any other ideas? Ciao Marcus ------------------------------------------------------------------------------ _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
