On 09/14/2016 05:50 PM, Marcus Schopen wrote: > On 14-09-16 15:28, Marcus Schopen wrote: >>> Hi, >>> >>> I use fail2ban to block smtp auth failures. A few weeks ago a notebook >>> was infected and after that I saw massiv logins using this account on my >>> smtp relay from world wide fast changing IPs . Ratelimits on smtp auth >>> users blocked most of those messages, but before I could close that >>> account some spam was sent. Therefore I'm looking for a way to figure >>> out, if successful smtp auth logins are coming in a short period of time >>> from different IPs, possibly combining with geoip. >>> >> It's sendmail ;) Any other ideas? > Ciao > Marcus > > Some time ago I wrote this utility precisely for this purpose https://github.com/johnfawcett/checkauthlog
It works by parsing the mail log file and keeps track of successful smtp logins. When these come from too many different ips or go over predetermined limits in a certain time frame, then the mail account is blocked. Only thing is that I have never used Sendmail, I use it with Postfix and last time I looked it was ok for Exim. If you are interested it should not be too difficult to modify it so that 1) it parses sendmail logs to read smtp sessions 2) it takes blocking action appropriate for sendmail (if you use a mysql database to store user credentials used by Sendmail then this part is already covered). As this is not directly related to Fail2ban, contact me off list if you are interested. John ------------------------------------------------------------------------------ _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
