On 08.06.22 16:58, Jim Garrison wrote:
This is a question about Postfix, in relation to fail2ban.
Having recently upgraded to the current Postfix from an ancient version,
I notice the "disconnect from" log entries now include a summary of
commands received and successfully completed.
I am also seeing lots of password probe attempts that look similar to:
disconnect from unknown[104.148.78.224] ehlo=1 mail=1 rcpt=0/1
quit=1 commands=3/4
It occurs to me that this provides a really convenient way to identify
hosts sending password probe attempts by adding a filter that looks
for the regex:
disconnect.*commands=[0123]
I guess you should look at the failed RCPT command and if fail2ban doesn't
block it already.
This would trigger on any SMTP session that disconnected before
processing a valid RCPT command. With a suitable maxretry setting (say
5) this would stop most probes.
The Postfix question: Is there a reason this is a bad idea, and could it
cause legitimate MTAs to be banned?
depends on the filter sensibility. the RCPT command may fail because of
valid reasons, e.g. someone mistyped recipient address.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"They say when you play that M$ CD backward you can hear satanic messages."
"That's nothing. If you play it forward it will install Windows."
