On Thu, Jun 18, 2015, at 09:00 AM, Bill Cole wrote: > It varies from site to site, but if you have the wrong sort of target > domains you can see things like ... ... > A tool like fail2ban may not be able to act fast enough to cut off > the first attack from bots acting like Cutwail, but if configured sanely > (90 days ban for fast-talkers) it can help a great deal.
The 'data' I'd been looking at, my own logs, was simply, fortunately, and just to-date, lacking in many of these attacks/exploits. The examples given so far certainly provide, for me, sufficient argument to keep f2b in the loop. The minor challenge is updating f2b's jail defs, actions and filters to be relevant to my setup of postscreen + smtpd_ restrictions prequeue SPF-check proxy prequeue amavisd ClamAV + DKIM checks postqueue amavisd Spamassassin checks It seems that response codes & log syntax have changed for postscreen, and the examples and pkg-included f2b bits make a bunch of outdated assumptions that result in no-hits. Not a big deal, just needs some staring at logs for a bit; slightly more challenging crafting the rules in this 'newer' setup for log entries for attacks/exploits that I haven't yet seen.
