I think the 'auth=0/1' is the number of successful logins vs login attempts. You should be able to key off of this with your failregex.
Bill On 1/1/2020 4:16 AM, siefke_lis...@web.de wrote:
Hello, I have question about catching submission (postfix) connects from ip's which tried it more then once time. Here a example: log: Jan 1 11:22:34 ru-mail postfix/anvil[7383]: statistics: max connection rate 1/60s for (submission:45.143.222.192) at Jan 1 11:19:13 Jan 1 11:22:34 ru-mail postfix/anvil[7383]: statistics: max connection count 1 for (submission:45.143.222.192) at Jan 1 11:19:13 Jan 1 11:23:32 ru-mail postfix/submission/smtpd[7386]: connect from unknown[45.143.222.192] Jan 1 11:23:32 ru-mail postfix/submission/smtpd[7386]: disconnect from unknown[45.143.222.192] ehlo=1 auth=0/1 rset=0/1 quit=1 commands=2/4 Jan 1 11:26:52 ru-mail postfix/anvil[7387]: statistics: max connection rate 1/60s for (submission:45.143.222.192) at Jan 1 11:23:32 Jan 1 11:26:52 ru-mail postfix/anvil[7387]: statistics: max connection count 1 for (submission:45.143.222.192) at Jan 1 11:23:32 Jan 1 11:26:59 ru-mail postfix/submission/smtpd[7393]: connect from unknown[45.143.222.192] Jan 1 11:26:59 ru-mail postfix/submission/smtpd[7393]: disconnect from unknown[45.143.222.192] ehlo=1 auth=0/1 rset=0/1 quit=1 commands=2/4 Jan 1 11:30:19 ru-mail postfix/anvil[7394]: statistics: max connection rate 1/60s for (submission:45.143.222.192) at Jan 1 11:26:59 Jan 1 11:30:19 ru-mail postfix/anvil[7394]: statistics: max connection count 1 for (submission:45.143.222.192) at Jan 1 11:26:59 Jan 1 11:31:36 ru-mail postfix/submission/smtpd[7445]: connect from unknown[45.143.222.192] Jan 1 11:31:37 ru-mail postfix/submission/smtpd[7445]: disconnect from unknown[45.143.222.192] ehlo=1 auth=0/1 rset=0/1 quit=1 commands=2/4 Jan 1 11:34:57 ru-mail postfix/anvil[7446]: statistics: max connection rate 1/60s for (submission:45.143.222.192) at Jan 1 11:31:36 Jan 1 11:34:57 ru-mail postfix/anvil[7446]: statistics: max connection count 1 for (submission:45.143.222.192) at Jan 1 11:31:36 Jan 1 11:35:21 ru-mail postfix/submission/smtpd[7454]: connect from unknown[45.143.222.192] Jan 1 11:35:21 ru-mail postfix/submission/smtpd[7454]: disconnect from unknown[45.143.222.192] ehlo=1 auth=0/1 rset=0/1 quit=1 commands=2/4 Jan 1 11:38:41 ru-mail postfix/anvil[7455]: statistics: max connection rate 1/60s for (submission:45.143.222.192) at Jan 1 11:35:21 Jan 1 11:38:41 ru-mail postfix/anvil[7455]: statistics: max connection count 1 for (submission:45.143.222.192) at Jan 1 11:35:21 Jan 1 11:39:19 ru-mail postfix/submission/smtpd[7463]: connect from unknown[45.143.222.192] Jan 1 11:39:19 ru-mail postfix/submission/smtpd[7463]: disconnect from unknown[45.143.222.192] ehlo=1 auth=0/1 rset=0/1 quit=1 commands=2/4 cat /var/log/mail.log | grep 45.143.222.192 | wc -l 1471 Is there a way to handle it with fail2ban? Thank you Silvio _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users