Re: Changing Log Messages
Hi to all so I am a step further to get reporting via filter. I tried to register a lot of events and I get a lot of information but it seems that the event smtp failed-command command="AUTH LOGIN" result="503 5.5.1 Invalid command: Command not supported" is not reported via the api. So although this was a interesting path that I certainly will be able to use in the future but for this case it does not seem to be successfull. Did I miss something? Regards Hagen on Thu, Jun 23, 2022 at 04:34:54PM +0200, Hagen Bauer wrote: Hi Mohamad, exactly thats it. Renaming it to auth-logger solved the "syntax error" Regards Hagen On Thu, Jun 23, 2022 at 06:36:46AM -0700, Mohamad Safadieh wrote: Hi Hagen, I'm pretty sure "auth" is a reserved keyword. Renaming your filter to something other than "auth" should fix it. Regards, Mohamad On Thu, Jun 23, 2022, at 6:23 AM, Pete wrote: Hi, it says right there in the message... Line 13 and 26 in /usr/local/etc/mail/smtpd.conf service smtpd restart Performing sanity check on smtpd configuration: /usr/local/etc/mail/smtpd.conf:13: syntax error /usr/local/etc/mail/smtpd.conf:26: syntax error - Any idea where the syntax error is created Regards Hagen.
Re: Changing Log Messages
Hi Mohamad, exactly thats it. Renaming it to auth-logger solved the "syntax error" Regards Hagen On Thu, Jun 23, 2022 at 06:36:46AM -0700, Mohamad Safadieh wrote: Hi Hagen, I'm pretty sure "auth" is a reserved keyword. Renaming your filter to something other than "auth" should fix it. Regards, Mohamad On Thu, Jun 23, 2022, at 6:23 AM, Pete wrote: Hi, it says right there in the message... Line 13 and 26 in /usr/local/etc/mail/smtpd.conf service smtpd restart Performing sanity check on smtpd configuration: /usr/local/etc/mail/smtpd.conf:13: syntax error /usr/local/etc/mail/smtpd.conf:26: syntax error - Any idea where the syntax error is created Regards Hagen.
Re: Changing Log Messages
Hi Hagen, I'm pretty sure "auth" is a reserved keyword. Renaming your filter to something other than "auth" should fix it. Regards, Mohamad On Thu, Jun 23, 2022, at 6:23 AM, Pete wrote: > Hi, > > it says right there in the message... > Line 13 and 26 in /usr/local/etc/mail/smtpd.conf > >> service smtpd restart >> Performing sanity check on smtpd configuration: >> /usr/local/etc/mail/smtpd.conf:13: syntax error >> /usr/local/etc/mail/smtpd.conf:26: syntax error > >> - > >> Any idea where the syntax error is created > >> Regards >> Hagen.
Re: Changing Log Messages
Hi, it says right there in the message... Line 13 and 26 in /usr/local/etc/mail/smtpd.conf > service smtpd restart > Performing sanity check on smtpd configuration: > /usr/local/etc/mail/smtpd.conf:13: syntax error > /usr/local/etc/mail/smtpd.conf:26: syntax error > - > Any idea where the syntax error is created > Regards > Hagen.
Re: Changing Log Messages
Hi Reio,
this is my first filter plus my first go program so I might miss something.
This is what I did
pkg install go
git clone https://github.com/whataboutpereira/filter-auth.git
cd filter-auth/
go build filter-auth.go
cp filter-auth /usr/local/libexec/opensmtpd/opensmtpd-filter-auth
Add filter to the listen entry
vi /usr/local/etc/mail/smtpd.conf
...
filter auth proc-exec "opensmtpd-filter-auth"
...
listen on igb0 tls pki my.hostname.de hostname my.hostname.de filter {
rspamd, auth}
service smtpd restart
Performing sanity check on smtpd configuration:
/usr/local/etc/mail/smtpd.conf:13: syntax error
/usr/local/etc/mail/smtpd.conf:26: syntax error
-
Any idea where the syntax error is created
Regards
Hagen.
On Thu, Jun 23, 2022 at 08:17:02AM +0200, Hagen Bauer wrote:
Hi Reio,
great that looks like a solution for me. I will give it a try.
Regards
Hagen
On Wed, Jun 22, 2022 at 10:16:00PM +0300, Reio Remma wrote:
Filters are indeed the way to go.
I'm personally using a reporter to log failed authentications which
I'm feeding to fail2ban to block.
https://github.com/whataboutpereira/filter-auth
Good luck
Reio
On 22.06.2022 20:56, Pete wrote:
Hi,
the best is probably to implement a custom report ing filter that fits you
needs.
http://man.openbsd.org/man7/smtpd-filters.7
Hi,
i would like to use crowdsec to evaluate my mail logs. My current idea is to
block all users that try to login on port 25
```
smtp connected address=43.zzz.yy.xx host=
smtp failed-command command="AUTH LOGIN" result="503 5.5.1 Invalid command: Command
not supported"
```
So the trigger is line 2 but the ip address is in line 1
Unfortunately there seems to be no way for crowdsec parser to evaluate 2 lines
Is there any chance or idea how I could change the logs to include the address
in line 2
Regards
Hagen Bauer
--
Re: Changing Log Messages
Hi Reio, great that looks like a solution for me. I will give it a try. Regards Hagen On Wed, Jun 22, 2022 at 10:16:00PM +0300, Reio Remma wrote: Filters are indeed the way to go. I'm personally using a reporter to log failed authentications which I'm feeding to fail2ban to block. https://github.com/whataboutpereira/filter-auth Good luck Reio On 22.06.2022 20:56, Pete wrote: Hi, the best is probably to implement a custom report ing filter that fits you needs. http://man.openbsd.org/man7/smtpd-filters.7 Hi, i would like to use crowdsec to evaluate my mail logs. My current idea is to block all users that try to login on port 25 ``` smtp connected address=43.zzz.yy.xx host= smtp failed-command command="AUTH LOGIN" result="503 5.5.1 Invalid command: Command not supported" ``` So the trigger is line 2 but the ip address is in line 1 Unfortunately there seems to be no way for crowdsec parser to evaluate 2 lines Is there any chance or idea how I could change the logs to include the address in line 2 Regards Hagen Bauer --
Re: Changing Log Messages
Filters are indeed the way to go. I'm personally using a reporter to log failed authentications which I'm feeding to fail2ban to block. https://github.com/whataboutpereira/filter-auth Good luck Reio On 22.06.2022 20:56, Pete wrote: Hi, the best is probably to implement a custom report ing filter that fits you needs. http://man.openbsd.org/man7/smtpd-filters.7 Hi, i would like to use crowdsec to evaluate my mail logs. My current idea is to block all users that try to login on port 25 ``` smtp connected address=43.zzz.yy.xx host= smtp failed-command command="AUTH LOGIN" result="503 5.5.1 Invalid command: Command not supported" ``` So the trigger is line 2 but the ip address is in line 1 Unfortunately there seems to be no way for crowdsec parser to evaluate 2 lines Is there any chance or idea how I could change the logs to include the address in line 2 Regards Hagen Bauer
Re: Changing Log Messages
Hi, the best is probably to implement a custom report ing filter that fits you needs. http://man.openbsd.org/man7/smtpd-filters.7 > Hi, > i would like to use crowdsec to evaluate my mail logs. My current idea is to > block all users that try to login on port 25 > ``` > smtp connected address=43.zzz.yy.xx host= > smtp failed-command command="AUTH LOGIN" result="503 5.5.1 Invalid command: > Command not supported" > ``` > So the trigger is line 2 but the ip address is in line 1 > Unfortunately there seems to be no way for crowdsec parser to evaluate 2 lines > Is there any chance or idea how I could change the logs to include the > address in line 2 > Regards > Hagen Bauer
Changing Log Messages
Hi, i would like to use crowdsec to evaluate my mail logs. My current idea is to block all users that try to login on port 25 ``` smtp connected address=43.zzz.yy.xx host= smtp failed-command command="AUTH LOGIN" result="503 5.5.1 Invalid command: Command not supported" ``` So the trigger is line 2 but the ip address is in line 1 Unfortunately there seems to be no way for crowdsec parser to evaluate 2 lines Is there any chance or idea how I could change the logs to include the address in line 2 Regards Hagen Bauer
