Cameron Camp wrote: > I've been happily using denyhosts for ssh brute force attacks, > > 1. What are best practices for the same functionality for Postfix > 2. Are there "gotcha's" for trying to use denyhosts/fail2ban for this > 3. Should I use something else? > > I'd like to stop attacks at the iptable/tcpwrapper level before it eats > up postfix resources. Sorry if that has already been asked. > > Best, > Cam
I use fail2ban with this: failregex = reject: RCPT from (.*)\[<HOST>\]: (550|554).*(Recipient address rejected: User unknown|Relay access denied) watch for wrapping, as this is all on one line in the /etc/fail2ban/filter.d/postfix.conf I have it set in /etc/fail2ban/jail.conf to block the source IP address for 1 hour after 5 associated maillog entries, and it's been working fine here for quite some time. Bill
