On 02/05/2021 22:57, Clive Jacques wrote: > Hi all, > > I've been using fail2ban for a while. Recently, I noticed a couple of > IPs which are attempting to attack our sendmail server. They connect > and then issue lots of RCPT TO commands, trying to see who will be > accepted. Sendmail rejects them because the inquiring server is > listed in Spamhaus, and it also throttle's them. Meanwhile, fail2ban > notices the failures and bans the offending IP in sendmail-reject and > shortly thereafter in recidive, but the established connection is not > dumped and they keep testing user names. > > I tried to write a custom action using tcpkill but it didn't work. > I've read that perhaps if I add a default policy of DROP on the INPUT > chain, then perhaps that would do the trick, but I don't want to kill > tcp-keepalive for regular users access imap or http. > > What are my options?
One option is to limit the number of authentication attempts an application allows before forcing a reconnection. For example in ssh, you'd say "MaxAuthTries X". In Apache, you'd say "max_requests_per_child" or similar. I think you want to find similar within sendmail. If sendmail can't do that (I'm struggling to find decent documentation for it), consider replacing sendmail with exim or postfix - both of which DO have this capability. > > -CJ > > > _______________________________________________ > Fail2ban-users mailing list > Fail2ban-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fail2ban-users
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
