Hi all, I agree, but, fail2ban is being used with qmailtoaster as seen on this guide: http://wiki.qmailtoaster.com/index.php?title=Fail2Ban&redirect=no&printable=yes But that guide and many others I have found on the net don't include a regex for my case: "client not allowed to relay" My problem is really to get a valid regex.
I will post it on fail2ban mailing list also. But it's important to post this here also Thanks 2011/5/6 Martin Waschbüsch IT-Dienstleistungen <[email protected]> > That is not true. fail2ban understands tai64n timestamps as used below. > > Btw., for fail2ban specific questions, it makes more sense to ask on the > fail2ban mailing list. :-) > > Martin > > -- > Martin Waschbüsch > IT-Dienstleistungen > Lautensackstr. 16 > 80687 München > > Telefon: +49 89 57005708 > Fax: +49 89 57868023 > Mobil: +49 170 2189794 > [email protected] > http://www.waschbuesch.it > > Am 06.05.2011 um 08:58 schrieb Finn Buhelt: > > > Hi. > > > > Just out of the head I think it's tricky because fail2ban needs a known > timestamp to check against, and I cannot recall fail2ban having this > timestamp listed as valid. > > > > But as said -just out of the head. > > Regards, > > Finn > > > > > > > > On 06-05-2011 08:10, Délsio Cabá wrote: > >> Hi all > >> > >> I am getting a lot of DDOS on smtp connection logs: > >> > >> @400000004dc390330ffb50f4 CHKUSER accepted sender: from > <[email protected]::> remote <demagnify:unknown:173.212.197.14> rcpt <> : > sender accepted > >> @400000004dc390340c9e201c CHKUSER rejected rcpt: from > <[email protected]::> remote <demagnify:unknown:173.212.197.14> rcpt < > [email protected]> : invalid rcpt MX domain > >> .. > >> @400000004dc3905511aba4bc CHKUSER accepted sender: from > <[email protected]::> remote <byte:unknown:173.212.197.14> rcpt <> > : sender accepted > >> @400000004dc390562cb394a4 CHKUSER rejected relaying: from > <[email protected]::> remote <byte:unknown:173.212.197.14> rcpt < > [email protected]> : client not allowed to relay > >> > >> I need to block this using fail2ban but the regex is quite complex. I > have tried this: > >> "<HOST>\> rcpt \S+ : client not allowed to relay$" > >> > >> But it doesn't seam to be working as expected: > >> fail2ban-regex /var/log/qmail/smtp/current "<HOST>\> rcpt \S+ : client > not allowed to relay" > >> ... > >> Date template hits: > >> 0 hit(s): MONTH Day Hour:Minute:Second > >> 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year > >> 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second > >> 0 hit(s): Year/Month/Day Hour:Minute:Second > >> 0 hit(s): Day/Month/Year Hour:Minute:Second > >> 0 hit(s): Day/MONTH/Year:Hour:Minute:Second > >> 0 hit(s): Month/Day/Year:Hour:Minute:Second > >> 0 hit(s): Year-Month-Day Hour:Minute:Second > >> 0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond] > >> 0 hit(s): Day-Month-Year Hour:Minute:Second > >> 1184 hit(s): TAI64N > >> 0 hit(s): Epoch > >> 0 hit(s): ISO 8601 > >> 0 hit(s): Hour:Minute:Second > >> 0 hit(s): <Month/Day/Year@Hour:Minute:Second> > >> > >> Any help would be very appreciated > >> Thanks! > > > > --------------------------------------------------------------------------------- > Qmailtoaster is sponsored by Vickers Consulting Group ( > www.vickersconsulting.com) > Vickers Consulting Group offers Qmailtoaster support and installations. > If you need professional help with your setup, contact them today! > > --------------------------------------------------------------------------------- > Please visit qmailtoaster.com for the latest news, updates, and > packages. > > To unsubscribe, e-mail: > [email protected] > For additional commands, e-mail: > [email protected] > > >
