On Sat, 6 Apr 2013, Reindl Harald wrote:
Hi
has someone a script which can filter out dictionary attacks from /var/log/maillog and notify about the source-IPs?
i know about fail2ban and so on, but i would like to have a mail with the IP address for two reasons and avoid fail2ban at all because it does not match in the way we maintain firewalls
- add the IP to a distributed "iptables-block.sh" and distribute it to any server with a comment and timestamp
- write a abuse-mail to the ISP
Thinking tangentially to this proposal, are there blacklists (BLs) maintained regarding known IPs perpetrating attempts at pop/imap intrusions, much in the same way CBL does for spam, and OpenBL (http://www.openbl.org/lists.html) does for ssh (primarily)?
That way, you leave your iptables configuration status quo, and create a mechanism to use the resource (the BLs) to populate your /etc/hosts.deny file, using tcp_wrappers to prevent intrusion/brute force attacks on service that have open ports in the firewall.
Thanks,
Max Pyziur pyz@brama.com