I've just realised. This is safe if you are always matching "unknown" but dangerous if you allow it to match IP's with a reverse DNS. The reason for this is that, on completing a mail transfer, not all MTA's disconnect nicely and just drop the connection, so there are only some transactions you can fairly safely block after a few lost transactions, like HELO, AUTH etc and one or two where you can't. I have a few in my filter at home.
On 2016-08-11 14:06, Nick Howitt wrote: > I think a "+" does a greedy match, so matches as many characters as it > can. Try changing it to a "*" or restricting it further with an > "[A-Z]*". > > FWIW I have postfix set up to reject improper command pipelining so you > then get something "lost connection after HELO from whatever" and I > match on that. > > Also to help postfix, I added "smtpd_client_restrictions = > reject_unknown_reverse_client_hostname" which stops anyone whose IP > does > not have a reverse DNS record. It does not test the validity and it is > not recommended to, just that one exists. It is a mandatory requirement > for SMTP servers to have a reverse DNS record (but it does not need to > match the sending FQDN). This stops all mail from "unknown" which you > can then pick up in f2b with "lost connection from unknown" or > something > like it. You can test the restriction by using warn_if_reject like > "smtpd_client_restrictions = warn_if_reject > reject_unknown_reverse_client_hostname" so postfix only warns and not > rejects > > Nick > > > On 2016-08-11 12:58, Jacques Lav!gnotte. wrote: >> Hello, >> >> I tried a whole bunch of minutes ( more than 60 ) >> >> but I can't get this rule to match : >> >> fail2ban-regex \ >> >> "Aug 10 23:56:35 emf postfix/smtpd[26006]: improper command pipelining >> after HELO from unknown[113.57.97.103]: QUIT\r\n" \ >> >> "^%(__prefix_line)simproper command pipelining after \S+ from >> [^[]*\[<HOST>\]:.*$" >> >> Can anyone help ? >> >> TIA, Jacques > > ------------------------------------------------------------------------------ > What NetFlow Analyzer can do for you? Monitors network bandwidth and > traffic > patterns at an interface-level. Reveals which users, apps, and > protocols are > consuming the most bandwidth. Provides multi-vendor support for > NetFlow, > J-Flow, sFlow and other flows. Make informed decisions using capacity > planning reports. http://sdm.link/zohodev2dev > _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. http://sdm.link/zohodev2dev _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
