Re: [Fail2ban-users] fail2ban & postfix

Fri, 23 Sep 2016 13:36:07 -0700 

You have to have <HOST> somewhere in the filter:
failregex = NOQUEUE: reject: RCPT from \S+\[<HOST>\]: .*$
            lost connection after \S+ from (.*)\[<HOST>\]
            reject: (header|body) .* from (.*)\[<HOST>\]
            timeout after \S+ from \S+\[<HOST>\].*$
            warning: Connection rate limit exceeded: .*\[<HOST>\]

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex = NOQUEUE: reject_warning:
              NOQUEUE: reject:.*Greylisted

You can test your filter outside of the fail2ban server with:
fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/postfix.local

Bill


On 9/21/2016 6:28 AM, [email protected] wrote:

Sorry Bill - here are my answers:

fail2ban version 0.8.13

bantime  = 600
findtime = 600
maxretry = 2


[postfix]
enabled  = true
port     = smtp,ssmtp,submission
filter   = postfix
logpath  = /var/log/mail.log



_daemon = postfix/smtpd
failregex = warning: (.*)\[\]: SASL LOGIN authentication failed:
authentication failure
                  reject: RCPT from (.*)\[\]: 554 5.1.1
                  reject: RCPT from (.*)\[\]: 450 4.7.1
                  reject: RCPT from (.*)\[\]: 554 5.7.1
ignoreregex =






Am 26.08.2016 um 22:33 schrieb [email protected]:

Hi,


fail2ban is very effective to stop attacs on the shell accounts.

The regex for postfix (mail.log) seems to be ignored.

I want to stop hosts which produces the following entries in my log files:

    Aug 24 22:38:10 debian postfix/smtpd[2123]: NOQUEUE: reject: RCPT from
onlinemta58.ccbcjc.com[104.223.236.58]: 550 5.1.1<[email protected]>:
Recipient address rejected: User unknown in virtual mailbox table;
from=<[email protected]>  to=<[email protected]>  proto=ESMTP
helo=<onlinemta58.ccbcjc.com>

Aug 24 22:40:07 debian postfix/smtpd[2123]: NOQUEUE: reject: RCPT from
unknown[95.140.39.34]: 450 4.7.1 Client host rejected: cannot find your
hostname, [95.140.39.34]; from=<[email protected]>
to=<[email protected]>  proto=ESMTP helo=<peninsula.williams-sonona.com>

My regex seems to be wrong :-(

Any suggestions ?

Thx

Sebastian


------------------------------------------------------------------------------
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users


------------------------------------------------------------------------------
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users



------------------------------------------------------------------------------

_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Reply via email to