On Fri, 8 May 2020 at 23:02, Doug Preston via Fail2ban-users <fail2ban-users@lists.sourceforge.net> wrote: > > more filter.d/postfixconf help needed. > I have a log entry in maillog I am trying trigger fail2ban with. I > actually want to trigger on anything with the following > after EHLO from unknown[xxx.xxx.xxx.xxx] > May 5 18:58:24 mail postfix/smtpd[3984]: lost connection after EHLO > from unknown[141.98.80.48] > May 6 03:08:17 mail postfix/smtpd[29346]: lost connection after EHLO > from unknown[78.128.113.100] > May 7 03:12:05 mail postfix/smtpd[10156]: lost connection after EHLO > from unknown[185.50.149.26]
The postfix filter has changed a lot over the years, although I don't think any standard versions would capture this text. Are you sure you want to ban on this match? There are legitimate reasons for testing a connection so you might end up blocking 'good' ips (e.g. https://www.shodan.io/). Which version of fail2ban are you using and do you have a bespoke postfix filter (postfix.local) or are you just using the standard file for your version? For this filter (only) I use (as my postfix.local) the latest development version at https://github.com/fail2ban/fail2ban/blob/0.10/config/filter.d/postfix.conf _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
