From: Steven H. <ste...@hi...> - 2013-12-13 21:38:01
|
On 13/12/13 21:08, Jesper Holck wrote: > I use qpsmtpd and have set up fail2ban to also use the qpsmtpd jail, and > this seems to work very fine, thank you. > > But in the qpsmtpd log files I very frequently see lots of lines like > the following: > > 2013-12-11 11:51:55.684264500 13420 Authentication failed for > payments^@^@^@^@^@^@^@^@^@^@^@^@ - > 2013-12-11 11:51:56.057305500 13420 Authentication failed for > payments^@^@^@^@^@^@^@^@^@^@^@^@ - > 2013-12-11 11:51:56.430513500 13420 Authentication failed for > payments^@^@^@^@^@^@^@^@^@^@^@^@ - > > The messages go on and on; in this particular attempt of misuse it was > 2700+ failed authentications within 20 minutes. > > Is it possible to make a fail2ban jail to handle these failures? > > Any help appreciated, > Jesper, Denmark > Not sure what you can do here, as there is no host information to conduct the ban. There is a fail2ban _0.9_ branch in development with multi-line regular expressions. If there are lines before or after the these with the host information (like client connect/disconnect message), that could be an option. You do however need to have some way to link the lines together, which for example is by PID for some sshd filters we have. Another option is to raise with qpsmtpd devs to see if they can modify the logging to report the host or IP address on those lines. Also, if you could share your example log lines and filter that would be great, as we can interoperate into upstream for everyone to use. ☺ Thanks -- -- Steven Hiscocks |