Re: under another kind of attack

29 Jul 2017

      Hi to all,
@Olaf Hopp I've this filter enabled for fail2ban, my question is: could
my filters overlap or interfere with those suggested by you?
this is my filter:
Contents of /etc/fail2ban/jail.conf:
[postfix]
Ban for 10 minutes if it fails 6 times within 10 minutes
enabled  = true
port     = smtp,ssmtp
filter   = postfix
logpath  = /var/log/mail.log
maxretry = 6
bantime  = 600
findtime = 600
Contents of /etc/fail2ban/filter.d/postfix.conf:
Fail2Ban configuration file
Author: Cyril Jaquier
$Revision$
[Definition]
Option:  failregex
Notes.:  regex to match the password failures messages in the
logfile. The
host must be matched by a group named "host". The tag
"<HOST>" can
be used for standard IP/hostname matching and is only an
alias for
(?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
Values:  TEXT

Jul 11 02:35:08 mail postfix/smtpd[16299]: lost connection after AUTH
from unknown[196.12.178.73]
failregex = lost connection after AUTH from unknown\[<HOST>\]
Option:  ignoreregex
Notes.:  regex to ignore. If this regex matches, the line is ignored.
Values:  TEXT

ignoreregex =
Many thanks!

Re: under another kind of attack

Davide Marchi

Ban for 10 minutes if it fails 6 times within 10 minutes

Fail2Ban configuration file

Author: Cyril Jaquier

$Revision$

Option: failregex

Notes.: regex to match the password failures messages in the

host must be matched by a group named "host". The tag

be used for standard IP/hostname matching and is only an

(?:::f{4,6}:)?(?P<host>[\w\-.^_]+)

Values: TEXT

Jul 11 02:35:08 mail postfix/smtpd[16299]: lost connection after AUTH

Option: ignoreregex

Notes.: regex to ignore. If this regex matches, the line is ignored.

Values: TEXT