Nikos Gatsis - Qbit <ngatsis@xxxxxxx>
Gesendet von: centos-bounces@xxxxxxxxxx
09.08.2011 10:40
Bitte antworten an
CentOS mailing list <centos@xxxxxxxxxx>
An
centos@xxxxxxxxxx
Kopie
Thema
fail2ban help
Hello list.
I have a question for fail2ban for bad logins on sasl.
I use sasl, sendmail and cyrus-imapd.
In jail.conf I use the following syntax:
[sasl-iptables]
enabled = true
filter = sasl
backend = polling
action = iptables[name=sasl, port=smtp, protocol=tcp]
sendmail-whois[name=sasl, dest=my@email]
logpath = /var/log/maillog
maxretry = 6
and the following filter:
failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL
(?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:
[A-Za-z0-9+/]*={0,2})?$
in iptables:
fail2ban-sasl tcp -- anywhere anywhere tcp
dpt:smtp
...
Chain fail2ban-sasl (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere
The problem is that never ban bad logins.
I tried to change action as port="imap,imaps,pop3,pop3s,smtp" but
nothing change.
Can somebody help me?
Thank you,
Nikos
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
Hello Nikos,
I have nearly the same regex as you:
failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed.*
and it works with
fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/sasl.conf
Gru?
Andreas Reschke
---------------------------------------------------------
I try yours and get no matches on maillog.
Do you thing that the following is correct?
... port="imap,imaps,pop3,pop3s,smtp" ...
Thank you
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
