From: LuKreme <kr...@kr...> - 2013-06-30 08:41:37
|
I am wondering why I might want to use the postfix-tcpwrappers action block in jail.conf instead of the SMTP action block? And also, despite having the bantime set to 9000 I see IPs reconnecting to postfix: [SMTP] enabled = true logpath = /var/log/maillog action = hostsdeny maxretry = 3 bantime = 9000 filter = postfix For example: # grep 208.84.134.170 /var/log/fail2ban.log 2013-06-30 00:44:01,986 fail2ban.actions: WARNING [SMTP] Ban 208.84.134.170 2013-06-30 01:14:04,937 fail2ban.actions: WARNING [SMTP] 208.84.134.170 already banned 2013-06-30 01:54:08,952 fail2ban.actions: WARNING [SMTP] 208.84.134.170 already banned # grep 208.84.134.170 /var/log/maillog | grep CONNECT Jun 30 00:23:25 mail postfix/postscreen[2928]: CONNECT from [208.84.134.170]:33765 Jun 30 00:33:27 mail postfix/postscreen[3044]: CONNECT from [208.84.134.170]:42346 Jun 30 00:44:00 mail postfix/postscreen[3090]: CONNECT from [208.84.134.170]:45394 Jun 30 00:54:00 mail postfix/postscreen[3141]: CONNECT from [208.84.134.170]:51496 Jun 30 01:04:03 mail postfix/postscreen[4315]: CONNECT from [208.84.134.170]:53332 Jun 30 01:14:03 mail postfix/postscreen[4462]: CONNECT from [208.84.134.170]:43977 Jun 30 01:24:04 mail postfix/postscreen[4634]: CONNECT from [208.84.134.170]:47926 Jun 30 01:34:05 mail postfix/postscreen[4725]: CONNECT from [208.84.134.170]:42557 Jun 30 01:44:06 mail postfix/postscreen[4915]: CONNECT from [208.84.134.170]:34053 Jun 30 01:54:07 mail postfix/postscreen[5065]: CONNECT from [208.84.134.170]:58534 Jun 30 02:04:07 mail postfix/postscreen[5182]: CONNECT from [208.84.134.170]:42486 Jun 30 02:14:08 mail postfix/postscreen[5305]: CONNECT from [208.84.134.170]:46992 # cat /usr/local/etc/fail2ban/filter.d/postfix.conf [Definition] failregex = reject: RCPT from (.*)\[<HOST>\]: ignoreregex = -- <[TN]FBMachine> I got kicked out of Barnes and Noble once for moving all the bibles into the fiction section |
From: Steven H. <ste...@hi...> - 2013-06-30 11:13:22
|
On 30/06/13 09:25, LuKreme wrote: > I am wondering why I might want to use the postfix-tcpwrappers action block in jail.conf instead of the SMTP action block? And also, despite having the bantime set to 9000 I see IPs reconnecting to postfix: > Not sure what version and distro you are using, but regardless: the postifx-tcpwrappers jail uses /etc/hosts.deny file to specify the block. Note that in order for this to work, postfix needs to be linked to libwrap, which may be why your not seeing bans working effectively. To check, see: http://www.ducea.com/2006/07/02/how-to-find-out-if-a-daemon-was-build-with-tcp-wrappers-support-hostsallowhostsdeny/ The non-tcpwrappers version of the jail, should use whatever firewall you have set in your config e.g. iptables. -- -- Steven Hiscocks |