* Wietse Venema <postfix-users@postfix.org>: > Scott Techlist: > > As I watch the bots and spammers hammer my server with connection attempts, > > I figured I might as well stop them even closer to the front door when they > > try repeatedly. > > > > I have fail2ban running already and once I enabled postscreen it didn't seem > > to have much to do anymore. > > > > My primary question is: Can I filter on the DISCONNECT log line for bad > > connections (and only bad connections), or do some "good" connections also > > log a DISCONNECT. > > Postcreen logs DISCONNECT for clients that PASS the "after 220 > greeting" tests (bare newline, non-SMTP command, pipelining). > > I don't think there is much to gain from parsing postscreen logging > to produce fail2ban rules. postscreen is designed to handle a lot > of abuse with near-zero resources.
To add my 2ct: As long as it doesn't impose a problem on the application I prefer to 'see' the disconnects in the application and not on some other host (read: upstream firewall). This makes it easier for me to see relationships etc. p@rick -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein
