On 15/11/2019 16:15, @lbutlr wrote: > On 15 Nov 2019, at 03:21, Allen Coates <znab...@cidercounty.org.uk> wrote: >> Disabling auth does not stop them from trying; I scan my logs for the string >> "auth=0/1", and add the offending IP address to a blacklist - a >> do-it-yourself >> fail2ban. > > Seems like a good idea. > > Something like this? > > pfctl -t badguys -T add $(grep "auth=0/1" /var/log/mail.log | egrep -o > "\[[^]]*\.[^]]*\]" | tr -d '[]’) > I use cut statements rather than egrep - not as elegant but it isolates both IPv4 and IPv6 addresses. I sweep about two days' worth of logs, and offending addresses go into a postscreen blacklist. This is recompiled when there is something new. Repeated postscreen disconnections (for whatever reason) escalate into an iptables drop-list, where they stay until they stop trying to connect. Allen C
- Re: lots of connections that make no sense Fourhundred Thecat
- Re: lots of connections that make no sense Allen Coates
- Re: lots of connections that make no sense Dominic Raferd
- Re: lots of connections that make no sense Jeffrey 'jf' Lim
- Re: lots of connections that make no s... Wietse Venema
- Re: lots of connections that make... Allen Coates
- Re: lots of connections that make no s... Bill Cole
- Re: lots of connections that make... Jeffrey 'jf' Lim
- Re: lots of connections that make... Bill Cole
- Re: lots of connections that make no sense @lbutlr
- Re: lots of connections that make no s... Allen Coates
- Re: lots of connections that make no sense Fourhundred Thecat
- Re: lots of connections that make no sense Dominic Raferd
- Re: lots of connections that make no sense Jaroslaw Rafa
- Re: lots of connections that make no sense Bill Cole
- Re: lots of connections that make no sense Jaroslaw Rafa
