Hi Jody,
Le 16/05/2018 à 20:09, Jody Whitesides a écrit :
[…] Here’s what it looks like:
14:27:39 myserver smtpd[8069]: 7ddc60038b38020a mta event=connecting
address=smtp+tls://104.28.23.114:25 host=104.28.23.114
14:27:54 myserver smtpd[8069]: smtp-out: Enabling route [] <->
104.28.22.114 (104.28.22.114)
14:28:15 myserver smtpd[989]: smtp-out: Enabling route [] <->
IPv6:2400:cb00:2048:1::681c:1672 (2400:cb00:2048:1::681c:1672)
14:28:31 myserver smtpd[989]: edd53f4be38a36a0 mta event=error
reason=Connection timeout
14:28:31 myserver smtpd[989]: smtp-out: Disabling route [] <->
IPv6:2400:cb00:2048:1::681c:1772 (2400:cb00:2048:1::681c:1772) for 15s
14:28:45 myserver smtpd[8069]: 7ddc60038b38020a mta event=error
reason=Connection timeout
Actually there would be a few other attempts in between line 2 and 6
there. Thus, I’d like to create a filter that can figure out the hex
thing before the 'mta event' as that is what ties the first part’s
attempt to the fact that its failing. Then I’d like to ban that host,
both the IPv4 and IPv6 ones that are doing what ever it is they’re
attempting to do.
Does this make sense?
This was my attempt:
^.*mta event=connecting address=<HOST>.*\n.*smtp-out: Enabling route\s*$
But it didn’t work. […]
I do not see any reason why you wouldn’t be able to match any one of
these lines, which are properly formatted, with Fail2ban.
However, as you rightly say yourself, the tricky part comes from the hex
thing… To my knowledge, Fail2ban does not have a notion of “context”,
that would allow to attach line 6 to line 1, or line 4 to whatever
corresponding line came before…
You *might* be interested in a tool that I wrote, that should be able to
handle this situation: Pyruse.
https://yalis.fr/git/yves/pyruse
There is one condition for using Pyruse: your logs have to be in
systemd-journald.
Starting from there, you can use the “DNAT-correcting actions” to
achieve your goal with:
```json
|{ "filter": "filter_pcre", "args": { "field": "MESSAGE", "re": "^||(.*) mta event=connecting ||address=.* host=(.*)$", "save": [ "hash", "hostIP"] } }, { "action":
"action_dnatCapture", "args": { "saddr": "hostIP", "addr": "hash" } }|
```
and:
```json
|{ "filter": "filter_pcre", "args": { "field": "MESSAGE", "re": "^(.*)||mta event=error reason=Connection timeout$", "save": [ "hostIP"] }, {
"action": "action_dnatReplace", "args": { "addr": "hostIP", "saddrInto":
"hostIP" } }, { "action": "action_email", "args": { "message": "Mail
attack from {hostIP}." } }|
```
That’s the general idea; it can be optimized (see the documentation).
And you can replace (or complement) the email at the end with a ban of
your choice (nftables, or ipset).
I hope this helps…
Cheers,
Yves.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
