I would ignore these occurances at the fail2ban level and just worry about connection burst using iptables.



On Fri, Aug 15, 2014 at 3:11 PM, Nick Howitt <nick@howitts.co.uk> wrote:
Anyone, please?

Nick

On 2014-08-10 13:56, Nick Howitt wrote:
> Hi,
>
>  I've been using fail2ban for a few weeks now and have added and
> customised some of the filters, but there is one I would like but
> don't know where to start. Yesterday I started receiving this sequence
> in my maillog:
>
>  Aug 10 04:34:35 server postfix/smtpd[12704]: connect from
> 69-11-82-240.prna.static.sasknet.sk.ca[69.11.82.240]
>  Aug 10 04:34:35 server postfix/smtpd[12704]: disconnect from
> 69-11-82-240.prna.static.sasknet.sk.ca[69.11.82.240]
>
>  This is a connect immediately followed by a disconnect. For the
> moment I've banned him manually in my firewall. How can I write a
> regex spanning two log lines identifying a single IP address where the
> disconnect immediately follows a connect.
>
>  I have a low volume family mail server so it is unlikely that another
> e-mail message pops up between the connect and disconnect, and if it
> does, it really does not matter.
>
>  TIA,
>
>  Nick
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users

------------------------------------------------------------------------------
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users