Nikos Gatsis - Qbit <ngatsis@xxxxxxx> Gesendet von: centos-bounces@xxxxxxxxxx 09.08.2011 10:40 Bitte antworten an CentOS mailing list <centos@xxxxxxxxxx> An centos@xxxxxxxxxx Kopie Thema fail2ban help Hello list. I have a question for fail2ban for bad logins on sasl. I use sasl, sendmail and cyrus-imapd. In jail.conf I use the following syntax: [sasl-iptables] enabled = true filter = sasl backend = polling action = iptables[name=sasl, port=smtp, protocol=tcp] sendmail-whois[name=sasl, dest=my@email] logpath = /var/log/maillog maxretry = 6 and the following filter: failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$ in iptables: fail2ban-sasl tcp -- anywhere anywhere tcp dpt:smtp ... Chain fail2ban-sasl (2 references) target prot opt source destination RETURN all -- anywhere anywhere The problem is that never ban bad logins. I tried to change action as port="imap,imaps,pop3,pop3s,smtp" but nothing change. Can somebody help me? Thank you, Nikos _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos Hello Nikos, I have nearly the same regex as you: failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed.* and it works with fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/sasl.conf Gru? Andreas Reschke --------------------------------------------------------- I try yours and get no matches on maillog. Do you thing that the following is correct? ... port="imap,imaps,pop3,pop3s,smtp" ... Thank you _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos