On 11/21/2013 04:35 PM, Brent Gardner wrote:
On 11/21/2013 02:47 PM, Gman wrote:
In the fail2ban config I have this relevent section
# username-notfound
[username-notfound]
enabled = true
filter = *username-notfound*
action = iptables[name=SMTP, port=smtp, protocol=tcp]
logpath = /var/log/maillog
maxretry = 3
bantime = 86400
findtime = 3600
From that I can figure a computer is sending to an invalid email
address on smtp port ( 25 ) so after 3 tries (maxretry = 3) the
firewall stops it ( iptables )
What logs should I be looking at to determine which computer is
causing this.
Thanks
You'd be looking in the /var/log/maillog file.
When I get hits for this the log entries look like:
Nov 6 08:40:41 qmt03 vpopmail[25604]: vchkpw-smtp: vpopmail user
not found clients@:77.226.244.40
To really know what to search for, you'll need to see the contents of
username-notfound.conf, probably located at
/etc/fail2ban/filter.d/username-notfound.conf.
There will be a line like this:
failregex = vchkpw-smtp: vpopmail user not found .*:<HOST>
This shows you what Fail2Ban is hitting on and what you should be
looking for in the log.
I'm not sure, my users do not send outbound through my toasters so they
don't auth, and I only see these entries from outside IP addresses, but
it seems to me that this indicates that someone tried to auth before
sending and the system did not recognize the username, so maybe
something on your network is trying to use the wrong port to send?
Regards,
Brent Gardner
---------------------------------------------------------------------
I honestly don't understand fail2ban in any detail. I wonder though, if
perhaps it's set up such that if someone's authentication fails, then it
changes iptables such that nobody can attempt to authenticate any more
(like blocking port 587 for any address). That'd be pretty bad. :(
Just a thought.
--
-Eric 'shubes'
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
