Menu
▾
▴
Re: [SSHGuard-users] [PATCH] A new rule for sendmail for consideration
|
From: Kevin Z. <kev...@gm...> - 2016-11-25 19:52:40
|
On 10/16/2016 16:26, Jonathan Woithe wrote: > Our mail host logs a large number of repeated sendmail messages of the > following form: > > <address> did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA > > While isolated messages from some addresses do appear, there are a number of > times where multiple messages are seen from a particular address, each > within a second or so of the previous one. It's not entirely clear what the > intent of these connections is, but it doesn't seem to be about sending > mail. To that end, blocking the offending hosts with sshguard seems to be a > worthwhile exercise. > > Find below a patch which adds such a rule to sshguard 1.7.0. I have applied > this to 1.6.4 and tested it successfully (I haven't deployed 1.7.0 on the > server yet due to the now resolved hosts backend issue). If you feel that > this is a useful addition to sshguard, please consider applying it to the > repo. Sorry for the delay. Committed with changes in 928839c, thanks! There was an issue with your patch (the "SENDMAIL_NOISSUE_PREF addr SENDMAIL_NOISSUE_SUFF;" line in attack_parser.y) that prevented the subsequent rules from being matched. Best, Kevin -- Kevin Zheng kev...@gm... | ke...@be... | PGP: 0xC22E1090 |
