Re: [Fail2ban-users] Postfix submission

Wed, 01 Jan 2020 11:08:34 -0800
This is one way. Another way is to lock out the login ports for large IP blocks. See: https://github.com/dpsystems/login-shield 


This is proving to stop almost all my 
unuathorized login attempts. It's using the same 
tech that F2B uses, just implements a different, larger net in ipsets.



I love f2b and use it, but the fact that it only 
blocks individual IPs isn't always very 
efficient.  The set of scripts above, adds some 
larger scale network blocking of select login 
ports to make f2b work even better with less system resources.


At 10:52 AM 1/1/2020, you wrote:

Indeed. See my postfix-failedauth jail atÂ
<https://github.com/fail2ban/fail2ban/issues/2200>https://github.com/fail2ban/fail2ban/issues/2200

Dominic


On Wed, 1 Jan 2020, 15:37 Bill Shirley, 
<<mailto:bshir...@openmri-scottsboro.com>bshir...@openmri-scottsboro.com> 
wrote:



I think the 'auth=0/1' is the number of 
successful logins vs login attempts.  You should be

able to key off of this with your failregex.

Bill
On 1/1/2020 4:16 AM, <mailto:siefke_lis...@web.de>siefke_lis...@web.de wrote:


Hello,


I have question about catching submission (postfix) connects from ip's

which tried it more then once time.


Here a example:


log:



Jan  1 11:22:34 ru-mail postfix/anvil[7383]: 
statistics: max connection rate 1/60s for 
(submission:45.143.222.192) at Jan  1 11:19:13



Jan  1 11:22:34 ru-mail postfix/anvil[7383]: 
statistics: max connection count 1 for 
(submission:45.143.222.192) at Jan  1 11:19:13



Jan  1 11:23:32 ru-mail 
postfix/submission/smtpd[7386]: connect from unknown[45.143.222.192]



Jan  1 11:23:32 ru-mail 
postfix/submission/smtpd[7386]: disconnect from 
unknown[45.143.222.192] ehlo=1 auth=0/1 rset=0/1 quit=1 commands=2/4



Jan  1 11:26:52 ru-mail postfix/anvil[7387]: 
statistics: max connection rate 1/60s for 
(submission:45.143.222.192) at Jan  1 11:23:32



Jan  1 11:26:52 ru-mail postfix/anvil[7387]: 
statistics: max connection count 1 for 
(submission:45.143.222.192) at Jan  1 11:23:32



Jan  1 11:26:59 ru-mail 
postfix/submission/smtpd[7393]: connect from unknown[45.143.222.192]



Jan  1 11:26:59 ru-mail 
postfix/submission/smtpd[7393]: disconnect from 
unknown[45.143.222.192] ehlo=1 auth=0/1 rset=0/1 quit=1 commands=2/4



Jan  1 11:30:19 ru-mail postfix/anvil[7394]: 
statistics: max connection rate 1/60s for 
(submission:45.143.222.192) at Jan  1 11:26:59



Jan  1 11:30:19 ru-mail postfix/anvil[7394]: 
statistics: max connection count 1 for 
(submission:45.143.222.192) at Jan  1 11:26:59



Jan  1 11:31:36 ru-mail 
postfix/submission/smtpd[7445]: connect from unknown[45.143.222.192]



Jan  1 11:31:37 ru-mail 
postfix/submission/smtpd[7445]: disconnect from 
unknown[45.143.222.192] ehlo=1 auth=0/1 rset=0/1 quit=1 commands=2/4



Jan  1 11:34:57 ru-mail postfix/anvil[7446]: 
statistics: max connection rate 1/60s for 
(submission:45.143.222.192) at Jan  1 11:31:36



Jan  1 11:34:57 ru-mail postfix/anvil[7446]: 
statistics: max connection count 1 for 
(submission:45.143.222.192) at Jan  1 11:31:36



Jan  1 11:35:21 ru-mail 
postfix/submission/smtpd[7454]: connect from unknown[45.143.222.192]



Jan  1 11:35:21 ru-mail 
postfix/submission/smtpd[7454]: disconnect from 
unknown[45.143.222.192] ehlo=1 auth=0/1 rset=0/1 quit=1 commands=2/4



Jan  1 11:38:41 ru-mail postfix/anvil[7455]: 
statistics: max connection rate 1/60s for 
(submission:45.143.222.192) at Jan  1 11:35:21



Jan  1 11:38:41 ru-mail postfix/anvil[7455]: 
statistics: max connection count 1 for 
(submission:45.143.222.192) at Jan  1 11:35:21



Jan  1 11:39:19 ru-mail 
postfix/submission/smtpd[7463]: connect from unknown[45.143.222.192]



Jan  1 11:39:19 ru-mail 
postfix/submission/smtpd[7463]: disconnect from 
unknown[45.143.222.192] ehlo=1 auth=0/1 rset=0/1 quit=1 commands=2/4



cat /var/log/mail.log | grep 45.143.222.192 | wc -l

1471


Is there a way to handle it with fail2ban?


Thank you

Silvio



_______________________________________________

Fail2ban-users mailing list

<mailto:Fail2ban-users@lists.sourceforge.net>Fail2ban-users@lists.sourceforge.net

https://lists.sourceforge.net/lists/listinfo/fail2ban-users

_______________________________________________
Fail2ban-users mailing list
<mailto:Fail2ban-users@lists.sourceforge.net>Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users


_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users






















					Reply via email to