Indeed. See my postfix-failedauth jail at https://github.com/fail2ban/fail2ban/issues/2200
Dominic On Wed, 1 Jan 2020, 15:37 Bill Shirley, <[email protected]> wrote: > I think the 'auth=0/1' is the number of successful logins vs login > attempts. You should be > able to key off of this with your failregex. > > Bill > On 1/1/2020 4:16 AM, [email protected] wrote: > > Hello, > > I have question about catching submission (postfix) connects from ip's > which tried it more then once time. > > Here a example: > > log: > > Jan 1 11:22:34 ru-mail postfix/anvil[7383]: statistics: max connection rate > 1/60s for (submission:45.143.222.192) at Jan 1 11:19:13 > Jan 1 11:22:34 ru-mail postfix/anvil[7383]: statistics: max connection count > 1 for (submission:45.143.222.192) at Jan 1 11:19:13 > Jan 1 11:23:32 ru-mail postfix/submission/smtpd[7386]: connect from > unknown[45.143.222.192] > Jan 1 11:23:32 ru-mail postfix/submission/smtpd[7386]: disconnect from > unknown[45.143.222.192] ehlo=1 auth=0/1 rset=0/1 quit=1 commands=2/4 > Jan 1 11:26:52 ru-mail postfix/anvil[7387]: statistics: max connection rate > 1/60s for (submission:45.143.222.192) at Jan 1 11:23:32 > Jan 1 11:26:52 ru-mail postfix/anvil[7387]: statistics: max connection count > 1 for (submission:45.143.222.192) at Jan 1 11:23:32 > Jan 1 11:26:59 ru-mail postfix/submission/smtpd[7393]: connect from > unknown[45.143.222.192] > Jan 1 11:26:59 ru-mail postfix/submission/smtpd[7393]: disconnect from > unknown[45.143.222.192] ehlo=1 auth=0/1 rset=0/1 quit=1 commands=2/4 > Jan 1 11:30:19 ru-mail postfix/anvil[7394]: statistics: max connection rate > 1/60s for (submission:45.143.222.192) at Jan 1 11:26:59 > Jan 1 11:30:19 ru-mail postfix/anvil[7394]: statistics: max connection count > 1 for (submission:45.143.222.192) at Jan 1 11:26:59 > Jan 1 11:31:36 ru-mail postfix/submission/smtpd[7445]: connect from > unknown[45.143.222.192] > Jan 1 11:31:37 ru-mail postfix/submission/smtpd[7445]: disconnect from > unknown[45.143.222.192] ehlo=1 auth=0/1 rset=0/1 quit=1 commands=2/4 > Jan 1 11:34:57 ru-mail postfix/anvil[7446]: statistics: max connection rate > 1/60s for (submission:45.143.222.192) at Jan 1 11:31:36 > Jan 1 11:34:57 ru-mail postfix/anvil[7446]: statistics: max connection count > 1 for (submission:45.143.222.192) at Jan 1 11:31:36 > Jan 1 11:35:21 ru-mail postfix/submission/smtpd[7454]: connect from > unknown[45.143.222.192] > Jan 1 11:35:21 ru-mail postfix/submission/smtpd[7454]: disconnect from > unknown[45.143.222.192] ehlo=1 auth=0/1 rset=0/1 quit=1 commands=2/4 > Jan 1 11:38:41 ru-mail postfix/anvil[7455]: statistics: max connection rate > 1/60s for (submission:45.143.222.192) at Jan 1 11:35:21 > Jan 1 11:38:41 ru-mail postfix/anvil[7455]: statistics: max connection count > 1 for (submission:45.143.222.192) at Jan 1 11:35:21 > Jan 1 11:39:19 ru-mail postfix/submission/smtpd[7463]: connect from > unknown[45.143.222.192] > Jan 1 11:39:19 ru-mail postfix/submission/smtpd[7463]: disconnect from > unknown[45.143.222.192] ehlo=1 auth=0/1 rset=0/1 quit=1 commands=2/4 > > cat /var/log/mail.log | grep 45.143.222.192 | wc -l > 1471 > > Is there a way to handle it with fail2ban? > > Thank you > Silvio > > > > _______________________________________________ > Fail2ban-users mailing > [email protected]https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users >
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
