Hello. One more thing i could contribute, just in case you do not know about it. Christos Zoulas of NetBSD has written a blocklist (it was blacklist for quite some years, but it losts it colour), and patched the postfix (among others) that is in the NetBSD base system to reach out and call a hook when an authentification failure happens.
You know, i always could not understand why people use expensive logfile parsers to reach out for state that the server(s) had once they made their decision, which resulted in the logfile entry. That is just grazy. Take this for example Aug 26 20:27:09 postfix/smtpd[12169]: connect from unknown[185.234.218.85] Aug 26 20:27:10 postfix/smtpd[12169]: too many errors after AUTH from unknown[185.234.218.85] Aug 26 20:27:10 postfix/smtpd[12169]: disconnect from unknown[185.234.218.85] ehlo=1 auth=0/1 commands=1/2 Aug 26 20:28:25 postfix/smtpd[12169]: connect from unknown[185.234.218.82] Aug 26 20:28:26 postfix/smtpd[12169]: too many errors after AUTH from unknown[185.234.218.82] Aug 26 20:28:26 postfix/smtpd[12169]: disconnect from unknown[185.234.218.82] ehlo=1 auth=0/1 commands=1/2 Aug 26 20:28:46 postfix/smtpd[12169]: connect from unknown[185.234.219.228] Aug 26 20:28:47 postfix/smtpd[12169]: too many errors after AUTH from unknown[185.234.219.228] Aug 26 20:28:47 postfix/smtpd[12169]: disconnect from unknown[185.234.219.228] ehlo=1 auth=0/1 commands=1/2 Thanks to the error limits (which are _so_ great, and helped me stopping an attack i once had to face while temporarily, for half a day, using a different SMTP server than postfix) this does not hurt that much, and of course the firewall steps in if it is too heavy. But what the blocklist(d) does is to reach out in case of authentification failed events (unfortunately not for nonsense connections which do nothing, repeatedly, for example), so that a script can be invoked which establishes a firewall rule. It would be great if a hook could be called for such events. Even a simple fork+detach+exec+forget approach would be really great, with an event indicator and an IP address as an argument. --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
