-
-
Save FlorianHeigl/71799586d22b31d474ac458371a8486e to your computer and use it in GitHub Desktop.
Fail2Ban - SMTP fiters that helps me resolve attacked mail server with Postfix and Dovecot
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## content of: /etc/fail2ban/jail.local | |
[mail-smtp] | |
enabled = true | |
logpath = /var/log/mail.log | |
filter = mail-smtp | |
maxretry = 1 | |
action = iptables-multiport[name=mail-smtp, port="25,587", protocol=tcp] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## content of: /etc/fail2ban/filter.d/mail-smtp.conf | |
[Definition] | |
## | |
# May 15 07:19:07 mail postfix/smtpd[10583]: warning: unknown[185.3.133.174]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 | |
# May 18 12:53:45 mail postfix/smtpd[10926]: warning: 41.222.52.105: address not listed for hostname na.cyberlogic.co.za | |
# May 15 06:26:01 mail postfix/smtp[29807]: B79961A8C29F: ***, relay=none, delay=0.02, delays=0.01/0/0.01/0, dsn=4.4.1, status=deferred (connect to ***.******.**[***.***.***.***]:25: Connection refused) | |
# May 15 06:26:34 mail postfix/smtp[30395]: 403CB1A8C751: *** status=deferred (host ******[***.***.***.***] said: 454 4.7.1 ***: Relay access denied (in reply to RCPT TO command)) | |
# May 18 23:09:50 mail postfix/smtp[5844]: 808EB1A8C2B7: lost connection with mta7.am0.yahoodns.net[63.250.192.46] while sending RCPT TO | |
# May 18 23:53:16 mail postfix/error[32147]: 6E6431A8C2CE: to=<rgaz1018@aol.com> *** status=deferred (delivery temporarily suspended: connect to mailin-04.mx.aol.com[64.12.88.132]:25: Connection timed out) | |
# May 14 23:26:50 mail postfix/smtpd[31643]: warning: non-SMTP command from unknown[177.11.51.103]: From: sftjh@******* | |
## | |
failregex = warning: (?:.*\[<HOST>\]\:.*) SASL (PLAIN|LOGIN) authentication failed: .*$ | |
warning: <HOST>: address not listed for hostname .*$ | |
status=deferred \(connect to (?:.*\[<HOST>\]\:.*)(?:\d.\:.*) Connection refused\)$ | |
status=deferred \(host (?:.*\[<HOST>\] said\:.*\:) Relay access denied \(.*RCPT TO.*\)\)$ | |
lost connection with (?:.*\[<HOST>\].*) while sending RCPT TO$ | |
status=deferred \(delivery temporarily suspended\: connect to (?:.*\[<HOST>\]\:.*)(?:\d.\:.*) Connection timed out\)$ | |
warning: non-SMTP command from (?:.*\[<HOST>\]\:.*) From: .*$ | |
ignoreregex = |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment