Hi all, I've been using fail2ban for a while. Recently, I noticed a couple of IPs which are attempting to attack our sendmail server. They connect and then issue lots of RCPT TO commands, trying to see who will be accepted. Sendmail rejects them because the inquiring server is listed in Spamhaus, and it also throttle's them. Meanwhile, fail2ban notices the failures and bans the offending IP in sendmail-reject and shortly thereafter in recidive, but the established connection is not dumped and they keep testing user names.
I tried to write a custom action using tcpkill but it didn't work. I've read that perhaps if I add a default policy of DROP on the INPUT chain, then perhaps that would do the trick, but I don't want to kill tcp-keepalive for regular users access imap or http. What are my options? -CJ
_______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
