Am 06.04.2013 13:18, schrieb Reindl Harald:
Hi
has someone a script which can filter out dictionary attacks from /var/log/maillog and notify about the source-IPs?
i know about fail2ban and so on, but i would like to have a mail with the IP address for two reasons and avoid fail2ban at all because it does not match in the way we maintain firewalls
- add the IP to a distributed "iptables-block.sh" and distribute it to any server with a comment and timestamp
- write a abuse-mail to the ISP
Hi Harald, not exactly
but i have written some blog to detect and alarm via xymon by brute force dovecot
http://sys4.de/de/blog/2013/01/29/howto-monitor-brute-force-attacks-on-dovec...
as well i have some blog
about using iptables out of rsyslog pipe recent to drop ips
http://sys4.de/de/blog/2012/12/28/botnets-mit-rsyslog-und-iptables-recent-mo...
mix it up somekind in scripts and produce some mail to abuse mail account found by whois, to me alarming is enough, at my servers it looks like most alarms are comming from users with wrong login data etc , real brute force are rare
Best Regards MfG Robert Schetterer
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Joerg Heidrich