Ed W wrote:
Lou Duchez wrote:
So any failure at any of the three protocols (SMTP, POP3, IMAP) is considered a "strike" by all three, and they should all ban the same guys at the same time. This is as yet untested, but seems like it should be pretty sound.
I think you only need one service and you can use the iptables-multi (or something similar) to block all the ports if you get a hit?
Ed W
!!!
Just when I think I've achieved ultimate pefection on this, someone comes along with a great idea. Thanks!
So I guess we take out the "sasl-iptables" part of jail.conf and replace it with:
[smtppop3imap] enabled = true filter = smtppop3imap action = iptables-multiport[name=smtppop3imap, port="smtp,pop3,imap", protocol=tcp] logpath = /var/log/maillog ignoreip = 192.168.1.0/24 123.123.123.123/27 234.234.234.234 maxretry = 2 findtime = 1200 bantime = 1200
smtppop3imap.conf is as previously described:
[Definition]
failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
ignoreregex =