On 5/8/2020 11:58 PM, Dominic Raferd wrote:
On Fri, 8 May 2020 at 23:02, Doug Preston via Fail2ban-users
<fail2ban-users@lists.sourceforge.net> wrote:
more filter.d/postfixconf help needed.
I have a log entry in maillog I am trying trigger fail2ban with. I
actually want to trigger on anything with the following
after EHLO from unknown[xxx.xxx.xxx.xxx]
May 5 18:58:24 mail postfix/smtpd[3984]: lost connection after EHLO
from unknown[141.98.80.48]
May 6 03:08:17 mail postfix/smtpd[29346]: lost connection after EHLO
from unknown[78.128.113.100]
May 7 03:12:05 mail postfix/smtpd[10156]: lost connection after EHLO
from unknown[185.50.149.26]
The postfix filter has changed a lot over the years, although I don't
think any standard versions would capture this text.
Are you sure you want to ban on this match? There are legitimate
reasons for testing a connection so you might end up blocking 'good'
ips (e.g. https://www.shodan.io/).
Which version of fail2ban are you using and do you have a bespoke
postfix filter (postfix.local) or are you just using the standard file
for your version?
For this filter (only) I use (as my postfix.local) the latest
development version at
https://github.com/fail2ban/fail2ban/blob/0.10/config/filter.d/postfix.conf
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
Fail2Ban v0.10.5
The only connections I find in my logs are continuous hits, no email
has ever come from one of these IP's I see that cause this log entry.
No legitimate mail server will hit my server with 50 of these a day.
I don't have a postfix.local
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
