As I watch the bots and spammers hammer my server with connection attempts, I figured I might as well stop them even closer to the front door when they try repeatedly.
I have fail2ban running already and once I enabled postscreen it didn't seem to have much to do anymore. My primary question is: Can I filter on the DISCONNECT log line for bad connections (and only bad connections), or do some "good" connections also log a DISCONNECT. Like this: Jul 17 10:08:27 tn3 postfix/postscreen[19184]: DISCONNECT [110.175.112.118]:63862 My server isn't "live" yet and my logs are just from bots and spammers already knocking at the door. So I don't have a lot of "good" connections to look at. I couldn't figure out if a "good" connection that went through after 220 tests, or any other pass, also got a DISCONNECT entry. I fit does, I can't use it. I've only found a couple of other's fail2ban filters related to postscreen logs: One from: https://github.com/jannickfahlbusch/fail2ban-rulez/blob/master/MailServer/Po stFix/postfix-dnsblog.conf That one picks up on the "listed by domain" string but because I may have multiple "hits" per connection due to multiple dnsbls, it throws off my banning thresholds. Not a huge deal, but not the count I want. This connection counted 4 "fails" Jul 17 10:01:40 tn3 postfix/postscreen[19136]: CONNECT from [105.174.2.98]:11607 to [45.63.111.83]:25 Jul 17 10:01:40 tn3 postfix/dnsblog[19138]: addr 105.174.2.98 listed by domain b.barracudacentral.org as 127.0.0.2 Jul 17 10:01:40 tn3 postfix/dnsblog[19142]: addr 105.174.2.98 listed by domain zen.spamhaus.org as 127.0.0.11 Jul 17 10:01:40 tn3 postfix/dnsblog[19142]: addr 105.174.2.98 listed by domain zen.spamhaus.org as 127.0.0.4 Jul 17 10:01:40 tn3 postfix/dnsblog[19143]: addr 105.174.2.98 listed by domain dnsbl.sorbs.net as 127.0.0.7 Jul 17 10:01:46 tn3 postfix/postscreen[19136]: DNSBL rank 6 for [105.174.2.98]:11607 Jul 17 10:01:48 tn3 postfix/postscreen[19136]: DISCONNECT [105.174.2.98]:11607 >From searching this list I saw this filter: https://translate.google.com/translate?sl=auto&tl=en&js=y&prev=_t&hl=en&ie=U TF-8&u=https%3A%2F%2Fkupschke.net%2F2013%2F04%2F20%2Ffail2ban-und-postscreen %2F&edit-text=&act=url That one is picking up on 5xx reject codes like this one. I don't' have many like this (yet): Jul 17 07:58:28 tn3 postfix/postscreen[8899]: CONNECT from [66.231.40.205]:64187 to [45.63.111.83]:25 Jul 17 07:58:28 tn3 postfix/dnsblog[8904]: addr 66.231.40.205 listed by domain zen.spamhaus.org as 127.0.0.4 Jul 17 07:58:34 tn3 postfix/postscreen[8899]: DNSBL rank 3 for [66.231.40.205]:64187 Jul 17 07:58:35 tn3 postfix/postscreen[8899]: NOQUEUE: reject: RCPT from [66.231.40.205]:64187: 550 5.7.1 Service unavailable; client [66.231.40.205] blocked using zen.spamhaus.org; from=<36jr3j36jr36jr3.3625327...@superuser.com>, to=<cookie.nick2...@outlook.com>, proto=ESMTP, helo=<[192.168.1.5]> Jul 17 07:58:35 tn3 postfix/postscreen[8899]: DISCONNECT [66.231.40.205]:64187 Anyone have any good postscreen fail2ban filters? Mine for now is: failregex = ^%(__prefix_line)saddr <HOST> listed by domain .* as .*$ reject: RCPT from (.*)\[<HOST>\]:([0-9]{4,5}:)? 550
