On 17/07/17 21:04, Scott Techlist wrote: >> Postcreen logs DISCONNECT for clients that PASS the "after 220 greeting" >> tests (bare newline, non-SMTP command, pipelining). > Exactly what I was afraid of, thanks for the confirmation. > >> I don't think there is much to gain from parsing postscreen logging to > produce >> fail2ban rules. postscreen is designed to handle a lot of abuse with > near-zero >> resources. > I understand and that's great. But it would be nice to prevent at least > some of connections and their ongoing log entries. Without getting out of > my comfort zone in solutions like Robert's and Allen's.
FWIW, I decided to implement iptables blocking after several bouts of hundreds of concurrent connect requests. They created a weeks "worth" of log entries in less than ten minutes - which I didn't like ! These days I only see two or three such connect requests before they are blocked. From the IP table counters, some hosts keep trying to connect for a month or more. For some reason, I am also quite intolerant about AUTH probes, even though there is nothing to find... On balance, I would like to keep Fail2Ban, or something similar - but as a back-up, not a primary filter. Allen C
