-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 08-06-15 02:24, Wilmer Arambula wrote: > Hi, as i can create the following filter example for these brute > force postfix / smtpd: > > Log Example: mail.warning.log (syslog) > > 2015 Jun 6 15:58:34 postfix/smtpd[20077]: warning: numeric > hostname: 178.72.138.184 | 2015 Jun 6 15:59:06 > postfix/smtpd[20077]: warning: numeric hostname: 178.72.138.184 | > 2015 Jun 6 15:59:19 postfix/smtpd[20077]: warning: numeric > hostname: 178.72.138.184 | 2015 Jun 6 16:29:02 > postfix/smtpd[20543]: warning: hostname > 14-2-240-152.static.internode.on.net does not resolve to address > 14.2.240.152: Name or service not known | 2015 Jun 6 16:29:02 > postfix/smtpd[20541]: warning: hostname > 14-2-240-152.static.internode.on.net does not resolve to address > 14.2.240.152: Name or service not known | 2015 Jun 6 16:29:23 > postfix/smtpd[20543]: warning: hostname > 14-2-240-152.static.internode.on.net does not resolve to address > 14.2.240.152: Name or service not known | 2015 Jun 6 18:34:43 > postfix/smtpd[21825]: warning: hostname 203-150-68-51.inter.net.th > does not resolve to address 203.150.68.51: Name or service not > known | 2015 Jun 7 00:26:44 postfix/smtpd[25369]: warning: > hostname 14-2-240-152.static.internode.on.net does not resolve to > address 14.2.240.152: Name or service not known | 2015 Jun 7 > 03:18:39 postfix/smtpd[27129]: warning: hostname hn.kd.ny.adsl does > not resolve to address 182.118.53.86: Name or service not known | > 2015 Jun 7 03:18:39 postfix/smtpd[27129]: warning: non-SMTP > command from unknown[182.118.53.86]: GET / HTTP/1.0 | 2015 Jun 7 > 06:43:12 postfix/smtpd[29248]: warning: hostname > 203-150-68-51.inter.net.th does not resolve to address > 203.150.68.51: Name or service not known | 2015 Jun 7 06:43:12 > postfix/smtpd[29246]: warning: hostname 203-150-68-51.inter.net.th > does not resolve to address 203.150.68.51: Name or service not > known | 2015 Jun 7 08:41:20 postfix/smtpd[30813]: warning: > hostname 14-2-240-152.static.internode.on.net does not resolve to > address 14.2.240.152: Name or service not known | 2015 Jun 7 > 17:10:35 postfix/smtpd[3635]: warning: hostname > 14-2-240-152.static.internode.on.net does not resolve to address > 14.2.240.152: Name or service not known | 2015 Jun 7 17:10:39 > postfix/smtpd[3635]: warning: hostname > 14-2-240-152.static.internode.on.net does not resolve to address > 14.2.240.152: Name or service not known | 2015 Jun 7 19:02:25 > postfix/smtpd[10450]: warning: hostname azteca-comunicaciones.com > does not resolve to address 191.102.73.51 | 2015 Jun 7 19:15:15 > postfix/smtpd[10825]: warning: hostname 203-150-68-51.inter.net.th > does not resolve to address 203.150.68.51: Name or service not > known 2015 Jun 3 23:41:22 postfix/smtpd[10381]: lost connection > after UNKNOWN from unknown[49.48.140.5] 2015 Jun 3 23:41:22 > postfix/smtpd[10381]: disconnect from unknown[49.48.140.5] 2015 > Jun 3 23:41:22 postfix/smtpd[10379]: connect from > unknown[49.48.140.5] >
All of these (except for the non-SMTP command warning) are just warnings that relate to non-existant DNS records, and can happen with any valid SMTP server too, or can be triggered by an issue with your internal dns setup. These specific warnings don't indicate any wrongdoing from the IP owner (again, an exception for the non-SMTP command warning) and should imho not trigger a block. The same hosts might have trigger some other error message when it actually does something stupid. Fail2ban ships several postfix-related filters by default that should catch most of those. I also have a postscreen filter lying around, if you're interested in that. Tom -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJVdX2hAAoJEJPfMZ19VO/1Y9AQAJ3RbEZKdV7BUu9AR4hNv4fD m/pFfUES/5RV9wkH5rfN24yODTYRbwxsmr6TbhYxSPXp7tH0x8cs+EfPtwxTyvfa GxKYvOaHktBDZh3fMHVHEI323cprYbF5mICPBYKzICobFrBhWWs/mn4mxSFA6q9y u1V6GWdquiI0Uo9s9PBKwz+wDYPmw/5wUO6ZFJUgFFSZJ+GLlNHoMxlP+2SQ0H8u +k3d5y0jmgwVZEbHHaWk476ofwpevfV6cdMpcqpnB4cvZL3/jhAQ0eDHvRJTj8vY N0Fdz6WgCH2WwqHHHHSwEr6EyNKFZcLEHBdTHgQ15r0MzxBFNag7ywahCwI46xkq hphWNogOq1/52oO4F7zRxcbJOOlMCXWOr5CZOFd8dr4d4E1M9C+kE1cxHZrRvONU Zte8IBgwJqGfRQM37Q92z50n2+2GtQJKp5zyMzblvA3oKQ6s2Rx9WhkBajCMINuT VhkZlNZXyOdMUYGN1yeFHJSd8jm3RYgXL/CwqZzOlb/atliDQ3IM6Fb6Fc9dDkdy dExYHjkqVHUrdyu0855T/qa9cIKZhYrLavT8uspab76t4u32cCjo/kQ46CyOdmZI vd3b19+1chF6YD1gitd07wfaZSnjpHe22S02dH56L/FCrUSUhdIGVet1RMMLt3ZL Aah0BYaFwL//Utjx16XG =eGAI -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
