|
Hi Marcus , On 10/17/2015 04:33 PM, Marcus Schopen
wrote:
I think I am missing something with fail2ban.Hi Jayesh , Am Samstag, den 17.10.2015, 13:06 +0530 schrieb Jayesh Shinde:Hello all , I am having mailserver with centos 6.3 + cyrus-imad + postfix + ldap We are using cyrus-sasl-2.1.23-13.el6.x86_64 with 'PAM' Mechanism . Many spammer are trying to hack password for doing many authentication with pop3 + imap + smtp services. on server Fail2ban hass been added , but its blocking hacker IPs after certain interval and not in real time. Which is the actual issue. I am looking for some real-time blocking where that particular spammer IP + email id must get block .I'm using fail2ban too and I don't understand what you mean by "real time". In my configuration the ban is set immediately after three failed logins (no delay) and for more extended banning of persistent abusers I use the recidive filter. I am looking for immediate source IP blocking after 3 wrong attempt for this for pop / imap / smtp login failure. Can you please share your correct configuration. That will help me to understand the regex part matching. What is your suggestion for below 3 points. I believe this issue is very common with other too , is there any option in 'saslauthd' / postfix / cyrus-imapd for below requirement ? 1) If server receive the wrong password , then is it possible to introduce the delay of say 5-10 seconds to sender client ? So that spammer will do less attempt ? 2) After given wrong password attempt more than 3 time , the particular "IP + email id" must get block for next 5-10 min. And then need to unblock after that. 3) I check PAM-ABL , but its not working for 'saslauthd'' with pop / imap / smtp . Because I came to know that 'saslauthd'' is not getting IP of source . How to pass source IP to "saslauthd'' along with email id , password and relam . Is there any patch available for this ?Ciao! |
