Am 20.07.2017 um 20:03 schrieb mj:
Hi Robert,
i dont understand why you focused on that ldap strings fail2ban should trigger on some "Authentication failure" regex in the related syslog
perhaps this will help to make it more clear
http://www.stefan-seelmann.de/wiki/fail2ban#postfix-and-dovecot
Yes, but I have that as well. :-)
I wanted two kinds of blockings:
#1: Everybody trying the well-known passwords (password, 123321, 1q2w3e, etc, etc) to become blocked *immediately* and for *always*.
#2: I wanted all others have to have the 'regular' settings, with three shots at typing a password, etc.
#2 being the 'regular fail2ban' settings, but during this attack, I wanted special settings, #1, for anyone trying one of the malicious passwords.
I did NOT want to have them the usual three opportunities to try.
In fact: this is a bit similar to your iptables solution, but that only works for non-ssl/non-tls connections.
Your iptables solution makes sure that thy cannot authenticate *at all*, while the above solution makes sure they can only authnticate *once*.
MJ
Ok I understand, not a bad idea, report how it works for you
Best Regards MfG Robert Schetterer
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG, 80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein