That seems to be the wrong approach. If you don't want connections on
submission (port587), stop listening on it or close the external
firewall. If you are using it for your users, blocking more than one
attempt will limit how much your users can send emails through your server.
My own suggestion is to allow submission only for your users and turn
off authentication on SMTP as that is currently where most of the
password cracking is going on.
I only run a family server, and I also detect any failed password
attempt and immediately ban the device. I whitelist my LAN, so I can set
up a phone on my LAN and get it to remember the password. Then it should
never go wrong when roaming. In that way I can block any failed password
attempt.
On 01/01/2020 09:16, [email protected] wrote:
Hello,
I have question about catching submission (postfix) connects from ip's
which tried it more then once time.
Here a example:
log:
Jan 1 11:22:34 ru-mail postfix/anvil[7383]: statistics: max connection rate
1/60s for (submission:45.143.222.192) at Jan 1 11:19:13
Jan 1 11:22:34 ru-mail postfix/anvil[7383]: statistics: max connection count 1
for (submission:45.143.222.192) at Jan 1 11:19:13
Jan 1 11:23:32 ru-mail postfix/submission/smtpd[7386]: connect from
unknown[45.143.222.192]
Jan 1 11:23:32 ru-mail postfix/submission/smtpd[7386]: disconnect from
unknown[45.143.222.192] ehlo=1 auth=0/1 rset=0/1 quit=1 commands=2/4
Jan 1 11:26:52 ru-mail postfix/anvil[7387]: statistics: max connection rate
1/60s for (submission:45.143.222.192) at Jan 1 11:23:32
Jan 1 11:26:52 ru-mail postfix/anvil[7387]: statistics: max connection count 1
for (submission:45.143.222.192) at Jan 1 11:23:32
Jan 1 11:26:59 ru-mail postfix/submission/smtpd[7393]: connect from
unknown[45.143.222.192]
Jan 1 11:26:59 ru-mail postfix/submission/smtpd[7393]: disconnect from
unknown[45.143.222.192] ehlo=1 auth=0/1 rset=0/1 quit=1 commands=2/4
Jan 1 11:30:19 ru-mail postfix/anvil[7394]: statistics: max connection rate
1/60s for (submission:45.143.222.192) at Jan 1 11:26:59
Jan 1 11:30:19 ru-mail postfix/anvil[7394]: statistics: max connection count 1
for (submission:45.143.222.192) at Jan 1 11:26:59
Jan 1 11:31:36 ru-mail postfix/submission/smtpd[7445]: connect from
unknown[45.143.222.192]
Jan 1 11:31:37 ru-mail postfix/submission/smtpd[7445]: disconnect from
unknown[45.143.222.192] ehlo=1 auth=0/1 rset=0/1 quit=1 commands=2/4
Jan 1 11:34:57 ru-mail postfix/anvil[7446]: statistics: max connection rate
1/60s for (submission:45.143.222.192) at Jan 1 11:31:36
Jan 1 11:34:57 ru-mail postfix/anvil[7446]: statistics: max connection count 1
for (submission:45.143.222.192) at Jan 1 11:31:36
Jan 1 11:35:21 ru-mail postfix/submission/smtpd[7454]: connect from
unknown[45.143.222.192]
Jan 1 11:35:21 ru-mail postfix/submission/smtpd[7454]: disconnect from
unknown[45.143.222.192] ehlo=1 auth=0/1 rset=0/1 quit=1 commands=2/4
Jan 1 11:38:41 ru-mail postfix/anvil[7455]: statistics: max connection rate
1/60s for (submission:45.143.222.192) at Jan 1 11:35:21
Jan 1 11:38:41 ru-mail postfix/anvil[7455]: statistics: max connection count 1
for (submission:45.143.222.192) at Jan 1 11:35:21
Jan 1 11:39:19 ru-mail postfix/submission/smtpd[7463]: connect from
unknown[45.143.222.192]
Jan 1 11:39:19 ru-mail postfix/submission/smtpd[7463]: disconnect from
unknown[45.143.222.192] ehlo=1 auth=0/1 rset=0/1 quit=1 commands=2/4
cat /var/log/mail.log | grep 45.143.222.192 | wc -l
1471
Is there a way to handle it with fail2ban?
Thank you
Silvio
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
