Hi Dan. It's always a good idea to test the filters I have learned - due to differences in log entries - it is easy to check if Your filter will catch what You want.
fail2ban-regex /path_to_log/logfile /path_to_filter/filter.conf Example: fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/vpopmail.conf will give You a overview of what happens when fail2ban runs the vpopmail.conf filter / Finn Den 07-08-2014 kl. 00:09 skrev Dan McAllister: > I am curious -- has anyone looked into a fail2ban implementation for QMT > > One of my larger mail servers is being attacked (from China, currently, > but when it started in Malaysia and I blocked all malaysian IPs, they > just moved to another IP) with essentially a brute-force password > guessing attack on users in one of the domains. > > They are using the SUBMISSION port to attempt logins, but I'd like to be > able to ban SUBMISSION as well as IMAP/POP access (independently, or > together) based on failed login attempts. (Ideally, same IP fail to > login on any of those ports more than 5 times in a 5 minute period, and > I'd like to simply tar-pit the entire IP address for 24 hours or so!) > > I'm (as amazing as it sounds) not all that familiar with fail2ban, but > I've considered it several times and just never had the time to > investigate. > > Assistance and experiences equally desired! :) > > Dan McAllister > QMT DNS/Mirror Admin > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
