On 25/11/2016 13:14, Tom Hendrikx wrote: > > > On 25-11-16 14:05, [email protected] wrote: >> Il 2016-11-24 21:47 Tom Hendrikx ha scritto: >>> You made a typo in the config file, which made fail2ban fail on an >>> earlier restart. The logrotate just tripped over the fact that f2b >>> wasn't running some days later. >>> >>> Please show us your jail and filter config for the postfix-disc jail, >>> but my first guess would be that you setup the jail using >>> >>> logfile=%(syslog_mail)s >>> >>> but the variable 'syslog_mail' is not defined anywhere. >>> >>> Kind regards, >>> Tom >> Well Tom! >> I've changed on "/etc/fail2ban/jail.conf" >> >> from >> logfile=%(syslog_mail)s >> >> to >> logpath = /var/log/mail.log >> >> then I've added the filter for postfix-disc: >> >> [postfix-disc] >> >> filter = postfix-disc >> >> >> now, on /etc/fail2ban/filter.d/postfix-disc.conf remain some errors: >> >> nov 25 12:47:10 server fail2ban[32404]: ERROR Failed during >> configuration: File contains parsing errors: >> /etc/fail2ban/filter.d/postfix-disc.conf >> nov 25 12:47:10 server fail2ban[32404]: [line 12]: >> '(AUTH|STARTTLS|NOOP|EHLO|RCPT|UNKNOWN) from .*\\..*\\[<HOST>\\]$\n' >> nov 25 12:47:10 server fail2ban[32404]: [line 13]: >> '^%(__prefix_line)sdisconnect from unknown\\[<HOST>\\]$\n' >> nov 25 12:47:10 server fail2ban[32404]: failed! >> >> >> This is my postfix-disc.conf: >> >> >> # Fail2Ban filter for postfix lost connections >> # >> [INCLUDES] >> >> before = common.conf >> >> [Definition] >> >> _daemon = postfix/smtpd >> >> failregex = ^%(__prefix_line)slost connection after >> (AUTH|STARTTLS|NOOP|EHLO|RCPT|UNKNOWN) from .*\..*\[<HOST>\]$ >> ^%(__prefix_line)sdisconnect from unknown\[<HOST>\]$ > This part is messed up. It should probably be something like: > > failregex = ^%(__prefix_line)slost connection after > (AUTH|STARTTLS|NOOP|EHLO|RCPT|UNKNOWN) from .*\..*\[<HOST>\]$ > ^%(__prefix_line)sdisconnect from unknown\[<HOST>\]$ > > Note: these are two lines, not three (watch for wrapping lines)! First > line contains the complete regex for 'lost connection after AUTH ... > [<HOST>}$', the next line is indented, and contains the regex for > 'disconnect from unknown...'. > > IMHO the second regex should not be monitored by f2b, but that's your call. > > Kind regards, > Tom The main reason for the second line is that I was occasionally getting bursts of 100+ repeat "disconnect from unknown" messages which wanted to stop. As it happens, according to the RFC's, every MTA must have a PTR record so there should never be an "unknown" but I do see an odd incorrectly set up MTA (e.g 62.119.166.56 for [email protected]). I do have the advantage that my DNS provider also gives me MX backup so when I block the IP, a well-behaved (not spamming?) MTA should fall back to my MX backup so I get the message anyway if it is valid.
I am reconsidering blocking these at the moment (they are also blocked in postfix). Something I've read and observed with the MX backup is that if you add a fictitious MX record with the highest priority, only the proper, well behaved MTA's will fall back to the server with the next highest MX record. This can be an alternative anti-spam strategy but it does add delivery delays. >> ignoreregex = >> >> # Author: Nick Howitt >> >> >> many many thanks for your help! :-) >> >> >> >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> Fail2ban-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users >> > ------------------------------------------------------------------------------ > _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users ------------------------------------------------------------------------------ _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
