This is very useful. Be sure your setup works before trusting/relying
on it.
On 8/7/14 7:57 AM, Finn Buhelt wrote:
Hi Dan.
It's always a good idea to test the filters I have learned - due to
differences in log entries - it is easy to check if Your filter will
catch what You want.
fail2ban-regex /path_to_log/logfile /path_to_filter/filter.conf
Example:
fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/vpopmail.conf
will give You a overview of what happens when fail2ban runs the
vpopmail.conf filter
/
Finn
Den 07-08-2014 kl. 00:09 skrev Dan McAllister:
I am curious -- has anyone looked into a fail2ban implementation for QMT
One of my larger mail servers is being attacked (from China, currently,
but when it started in Malaysia and I blocked all malaysian IPs, they
just moved to another IP) with essentially a brute-force password
guessing attack on users in one of the domains.
They are using the SUBMISSION port to attempt logins, but I'd like to be
able to ban SUBMISSION as well as IMAP/POP access (independently, or
together) based on failed login attempts. (Ideally, same IP fail to
login on any of those ports more than 5 times in a 5 minute period, and
I'd like to simply tar-pit the entire IP address for 24 hours or so!)
I'm (as amazing as it sounds) not all that familiar with fail2ban, but
I've considered it several times and just never had the time to
investigate.
Assistance and experiences equally desired! :)
Dan McAllister
QMT DNS/Mirror Admin
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
--
