Re: [Fail2ban-users] Postfix submission

Bill Shirley Wed, 01 Jan 2020 07:38:06 -0800

I think the 'auth=0/1' is the number of successful logins vs login attempts.  
You should be
able to key off of this with your failregex.


Bill

On 1/1/2020 4:16 AM, siefke_lis...@web.de wrote:

Hello,

I have question about catching submission (postfix) connects from ip's
which tried it more then once time.

Here a example:

log:

Jan  1 11:22:34 ru-mail postfix/anvil[7383]: statistics: max connection rate 
1/60s for (submission:45.143.222.192) at Jan  1 11:19:13
Jan  1 11:22:34 ru-mail postfix/anvil[7383]: statistics: max connection count 1 
for (submission:45.143.222.192) at Jan  1 11:19:13
Jan  1 11:23:32 ru-mail postfix/submission/smtpd[7386]: connect from 
unknown[45.143.222.192]
Jan  1 11:23:32 ru-mail postfix/submission/smtpd[7386]: disconnect from 
unknown[45.143.222.192] ehlo=1 auth=0/1 rset=0/1 quit=1 commands=2/4
Jan  1 11:26:52 ru-mail postfix/anvil[7387]: statistics: max connection rate 
1/60s for (submission:45.143.222.192) at Jan  1 11:23:32
Jan  1 11:26:52 ru-mail postfix/anvil[7387]: statistics: max connection count 1 
for (submission:45.143.222.192) at Jan  1 11:23:32
Jan  1 11:26:59 ru-mail postfix/submission/smtpd[7393]: connect from 
unknown[45.143.222.192]
Jan  1 11:26:59 ru-mail postfix/submission/smtpd[7393]: disconnect from 
unknown[45.143.222.192] ehlo=1 auth=0/1 rset=0/1 quit=1 commands=2/4
Jan  1 11:30:19 ru-mail postfix/anvil[7394]: statistics: max connection rate 
1/60s for (submission:45.143.222.192) at Jan  1 11:26:59
Jan  1 11:30:19 ru-mail postfix/anvil[7394]: statistics: max connection count 1 
for (submission:45.143.222.192) at Jan  1 11:26:59
Jan  1 11:31:36 ru-mail postfix/submission/smtpd[7445]: connect from 
unknown[45.143.222.192]
Jan  1 11:31:37 ru-mail postfix/submission/smtpd[7445]: disconnect from 
unknown[45.143.222.192] ehlo=1 auth=0/1 rset=0/1 quit=1 commands=2/4
Jan  1 11:34:57 ru-mail postfix/anvil[7446]: statistics: max connection rate 
1/60s for (submission:45.143.222.192) at Jan  1 11:31:36
Jan  1 11:34:57 ru-mail postfix/anvil[7446]: statistics: max connection count 1 
for (submission:45.143.222.192) at Jan  1 11:31:36
Jan  1 11:35:21 ru-mail postfix/submission/smtpd[7454]: connect from 
unknown[45.143.222.192]
Jan  1 11:35:21 ru-mail postfix/submission/smtpd[7454]: disconnect from 
unknown[45.143.222.192] ehlo=1 auth=0/1 rset=0/1 quit=1 commands=2/4
Jan  1 11:38:41 ru-mail postfix/anvil[7455]: statistics: max connection rate 
1/60s for (submission:45.143.222.192) at Jan  1 11:35:21
Jan  1 11:38:41 ru-mail postfix/anvil[7455]: statistics: max connection count 1 
for (submission:45.143.222.192) at Jan  1 11:35:21
Jan  1 11:39:19 ru-mail postfix/submission/smtpd[7463]: connect from 
unknown[45.143.222.192]
Jan  1 11:39:19 ru-mail postfix/submission/smtpd[7463]: disconnect from 
unknown[45.143.222.192] ehlo=1 auth=0/1 rset=0/1 quit=1 commands=2/4

cat /var/log/mail.log | grep 45.143.222.192 | wc -l
1471

Is there a way to handle it with fail2ban?

Thank you
Silvio


_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Postfix submission

Reply via email to