#9 not finding failures four courier-smtp

closed-fixed
Cyril Jaquier
None
5
2006-08-22
2005-09-23
Anonymous
No

fail2ban is not finding failures that I'd like it to to
prevent spam-probing of virtual domains on my server.

here is the configuration as I've entered it:

[CourierSMTP]
enabled = true
logfile = /var/log/mail.err
fwstart = iptables -N fail2ban-smtp
iptables -I INPUT -p tcp --dport smtp -j
fail2ban-smtp
iptables -A fail2ban-smtp -j RETURN

fwend = iptables -D INPUT -p tcp --dport smtp -j
fail2ban-smtp
iptables -D fail2ban-smtp -j RETURN
iptables -X fail2ban-smtp

fwban = iptables -I fail2ban-smtp 1 -s <ip> -j DROP
fwunban = iptables -D fail2ban-smtp -s <ip> -j DROP

timeregex = \S{3} \d{2} \d{2}:\d{2}:\d{2}
timepattern = %%b %%d %%H:%%M:%%S

failregex = 550 User Unknown

The logs look like this:

Sep 23 13:19:04 SERVER courieresmtpd:
error,relay=::ffff:200.138.205.232,from=<pliq_ljgg_o_r_l@PROBED.org>,to=<agaisin@PROBED.org>:
550 User unknown.

Yes, the from domain name is set to the to in this
example. As far as I can see the RE in the dns.py
stringtoip function should catch the ip addres by
pattern here. SSH is working fine, but I'm getting
about a thousand of these probes a day in my mail.err,
and I'd like very much to cut down on these.

Thanks,

-Peter

Discussion

  • Cyril Jaquier
    Cyril Jaquier
    2006-02-16

    • status: open --> open-accepted
     
  • Cyril Jaquier
    Cyril Jaquier
    2006-02-16

    Logged In: YES
    user_id=933467

    Fail2ban 0.6 and previous version cannot handle such things
    right. This will be changed in 0.7.

     
  • Cyril Jaquier
    Cyril Jaquier
    2006-08-22

    • status: open-accepted --> closed-fixed
     
  • Cyril Jaquier
    Cyril Jaquier
    2006-08-22

    Logged In: YES
    user_id=933467

    Fixed in Subversion repository. Will be in 0.7.0.

    There is no courier-smtp configuration yet but everything
    needed to create one should be available.