On Mon, Sep 16, 2019 at 10:20:42AM +0300, Reio Remma wrote:
> Hello!
>
Hello,
> Until upgrading to OpenSMTPD 6.6 I used fail2ban to ban excessive login
> failures from IPs, but that doesn't work any more with the log format
> changed from:
>
> smtp event=failed-command address=185.13.39.7 host=vps-33288.fhnet.fr
> command="AUTH LOGIN (password)" result="535 Authentication failed"
> |
> smtp failed-command command="AUTH LOGIN (password)" result="535
> Authentication failed"
>
using the human logs for this kind of programmatic stuff is no longer
supported, the proper way is to write a filter that registers for all
register events and parses that output instead.
we assume programs to read reports so the format is versionned and is
going to be easily parsed, we assume humans to read the logs so we're
going to adapt the logs without caring too much about scripts.
> Surprisingly SMTP isn't brute forced that much, but as I registered 472
> failed authentications from a single IP yesterday, I'm going to have a Go at
> a filter too. :)
>
I do get a lot of brute-force but it mostly comes from compromised hosts
so filtering on !rdns, !fcrdns and matching some common dynamic patterns
kills the bulk of them.
--
Gilles Chehade @poolpOrg
https://www.poolp.orgpatreon: https://www.patreon.com/gilles
