[pfx] Re: RFC logs_check

Wed, 24 Jul 2024 05:52:12 -0700 

On 24.07.24 13:26, Bob via Postfix-users wrote:

Thanks for the reply.

There are some words here,

https://unix.stackexchange.com/questions/179477/how-does-fail2ban-detect-the-time-of-an-intrusion-attempt-if-the-log-files-dont


This article is 9 years old and apparently some parts of it are obsolete...


Which suggests that Fail2Ban is continuously scanning logfiles for
changes unless you install Gamin which is some sort of helper program
that sppears to get a Kernal notification in the event something is
written to the logfile.

Now I have to install Fail2Ban and Gamin and work out how to use them
in anger. OK, perhaps I moan too much but things are escalting in
complexity whereas if I had my way Postfix could directly notify my
simple script rather than going around these additinal houses.
...you don't need gamin, on debian fail2ban recomends python3-pyinofify module which does the same job. 
gamin is just server that provides inotify service to multiple daemons.

I agree fail2ban is not very easy to understand.


On Wed, 2024-07-24 at 14:11 +0200, Jaroslaw Rafa via Postfix-users
wrote:

Dnia 24.07.2024 o godz. 00:14:51 Bob via Postfix-users pisze:
> I want "Kill on Sight". 
>
> Fastest way to me would be Postfix says it logged a connection from
> fluffy.cuddly.port.raping.internet-measurement.com calls my script
> with the IP address and they get stuffed up IPTables.

Despite what you say about your unsuccessful attempts with fail2ban,
it seems the best tool for the job. It's the whole idea of fail2ban
anyway - if "SOMETHING" appears in the logfile "SOME" number of times
(which can be 1), then stuff the IP address into iptables for
blocking.

AFAIK, fail2ban uses inotify mechanism to monitor log files, so it
detects changes in logfiles immediately and not retroactively as you
stated. So at the moment when Postfix logs connection from
"fluffy.cuddly.port.raping.internet-measurement.com" ;), fail2ban can
block it. It's all the matter of writing proper rules for fail2ban.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"Where do you want to go to die?" [Microsoft]
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to