From: Daniel B. <dan...@in...> - 2014-01-29 00:58:49
|
On 01/29/2014 11:15 AM, Noel Butler wrote: > Daniel, > On Tue, 2014-01-28 at 12:19 +1100, Daniel Black wrote: >> On 01/28/2014 11:14 AM, Noel Butler wrote: >> > >> > failregex = too many errors after AUTH from .*\[<HOST>\] >> > lost connection after AUTH from unknown\[<HOST>\] >> > >> > > >> >> c) unanchored regexes are a common cause of DoS attacks - much detail >> here: https://github.com/fail2ban/fail2ban/blob/master/FILTERS >> > > OK, I admit to not being a F2B guru, and I'm not a fan of python and > don't use, that said... if I understand correctly (probably not) I > have modified these (since your defaults don't catch them on our system) > to read: > > failregex = ^%(__prefix_line)stoo many errors after AUTH from \S+\[<HOST>\]$ > ^%(__prefix_line)slost connection after AUTH from unknown\[<HOST>\]$ looks right assuming you've got: _daemon = postfix/smtpd there too. > > log lines eg's: > > Jan 28 07:55:27 mx3 postfix/smtpd[8695]: too many errors after AUTH from > unknown[88.247.41.106] > Jan 28 12:24:06 mx3 postfix/smtpd[22381]: lost connection after AUTH > from unknown[38.123.133.21] > > I think I've see names prior to IP in too many errors after AUTH, which > is why I must have used .* (now \S+) and not "unknown" Also needs to happen in the second regex. > does it look OK now, or need refinement more? probably could condense to: ^%(__prefix_line)s(too many errors|lost connection) after AUTH from \S+\[<HOST>\]$ test what matches with fail2ban-regex /var/log/mail.log postfix-sasl.conf Looks ok except I'm wondering if false positives are an issue the same as the fix requested in https://github.com/fail2ban/fail2ban/pull/600. |