Am 06.04.2013 13:18, schrieb Reindl Harald: > Hi > > has someone a script which can filter out dictionary attacks > from /var/log/maillog and notify about the source-IPs? > > i know about fail2ban and so on, but i would like to have > a mail with the IP address for two reasons and avoid fail2ban > at all because it does not match in the way we maintain firewalls > > * add the IP to a distributed "iptables-block.sh" and distribute > it to any server with a comment and timestamp > * write a abuse-mail to the ISP >
Hi Harald, not exactly but i have written some blog to detect and alarm via xymon by brute force dovecot http://sys4.de/de/blog/2013/01/29/howto-monitor-brute-force-attacks-on-dovecot/ as well i have some blog about using iptables out of rsyslog pipe recent to drop ips http://sys4.de/de/blog/2012/12/28/botnets-mit-rsyslog-und-iptables-recent-modul-abwehren/ mix it up somekind in scripts and produce some mail to abuse mail account found by whois, to me alarming is enough, at my servers it looks like most alarms are comming from users with wrong login data etc , real brute force are rare Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Joerg Heidrich
