This is a question about Postfix, in relation to fail2ban.
Having recently upgraded to the current Postfix from an ancient version,
I notice the "disconnect from" log entries now include a summary of
commands received and successfully completed.
I am also seeing lots of password probe attempts that look similar to:
disconnect from unknown[104.148.78.224] ehlo=1 mail=1 rcpt=0/1
quit=1 commands=3/4
It occurs to me that this provides a really convenient way to identify
hosts sending password probe attempts by adding a filter that looks for
the regex:
disconnect.*commands=[0123]
This would trigger on any SMTP session that disconnected before
processing a valid RCPT command. With a suitable maxretry setting (say
5) this would stop most probes.
The Postfix question: Is there a reason this is a bad idea, and could it
cause legitimate MTAs to be banned?
--
Jim Garrison
j...@acm.org
