Ich habe fail2ban konfiguriert und es funktioniert auch, dass er mir IPs banned, die unerlaubt auf eMail Postfächer zugreifen wollen:
Auszug aus der fail2ban Log:
2015-03-11 02:04:44,562 fail2ban.actions: WARNING [sasl] Ban 83.70.84.210
2015-03-11 02:14:45,205 fail2ban.actions: WARNING [sasl] Unban 83.70.84.210
Aber in der mail.log stehen noch weitere unerlaubte Zugriffe, die fail2ban einfach ignoriert, z.b:
Diese IP wird / wurde nicht gebannt obwohl der Regex Test die IP auflistet:
Jemand ne Idee warum diese IP nicht gebannt wurde?
Auszug aus der fail2ban Log:
2015-03-11 02:04:44,562 fail2ban.actions: WARNING [sasl] Ban 83.70.84.210
2015-03-11 02:14:45,205 fail2ban.actions: WARNING [sasl] Unban 83.70.84.210
Aber in der mail.log stehen noch weitere unerlaubte Zugriffe, die fail2ban einfach ignoriert, z.b:
Code:
Mar 10 07:28:34 srv postfix/smtpd[23512]: connect from unknown[41.57.23.150]
Mar 10 07:28:37 srv postfix/smtpd[23512]: warning: unknown[41.57.23.150]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Mar 10 07:28:37 srv postfix/smtpd[23512]: lost connection after AUTH from unknown[41.57.23.150]
Mar 10 07:28:37 srv postfix/smtpd[23512]: disconnect from unknown[41.57.23.150]
Mar 10 07:28:40 srv postfix/smtpd[23512]: connect from unknown[41.57.23.150]
Mar 10 07:28:43 srv postfix/smtpd[23512]: warning: unknown[41.57.23.150]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Mar 10 07:28:43 srv postfix/smtpd[23512]: lost connection after AUTH from unknown[41.57.23.150]
Mar 10 07:28:43 srv postfix/smtpd[23512]: disconnect from unknown[41.57.23.150]
Mar 10 07:28:46 srv postfix/smtpd[23512]: connect from unknown[41.57.23.150]
Mar 10 07:28:49 srv postfix/smtpd[23512]: warning: unknown[41.57.23.150]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Mar 10 07:28:49 srv postfix/smtpd[23512]: lost connection after AUTH from unknown[41.57.23.150]
Mar 10 07:28:49 srv postfix/smtpd[23512]: disconnect from unknown[41.57.23.150]
Mar 10 07:28:49 srv postfix/smtpd[23512]: connect from unknown[41.57.23.150]
Mar 10 07:28:52 srv postfix/smtpd[23512]: warning: unknown[41.57.23.150]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Mar 10 07:28:52 srv postfix/smtpd[23512]: lost connection after AUTH from unknown[41.57.23.150]
Mar 10 07:28:52 srv postfix/smtpd[23512]: disconnect from unknown[41.57.23.150]
Mar 10 07:28:52 srv postfix/smtpd[23512]: connect from unknown[41.57.23.150]
Mar 10 07:28:55 srv postfix/smtpd[23512]: warning: unknown[41.57.23.150]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Mar 10 07:28:55 srv postfix/smtpd[23512]: lost connection after AUTH from unknown[41.57.23.150]
Mar 10 07:28:55 srv postfix/smtpd[23512]: disconnect from unknown[41.57.23.150]Diese IP wird / wurde nicht gebannt obwohl der Regex Test die IP auflistet:
Code:
Results
=======
Failregex
|- Regular expressions:
| [1] (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$
|
`- Number of matches:
[1] 107 match(es)
Ignoreregex
|- Regular expressions:
|
`- Number of matches:
Summary
=======
Addresses found:
[1]
41.57.23.150 (Tue Mar 10 07:28:37 2015)
41.57.23.150 (Tue Mar 10 07:28:43 2015)
41.57.23.150 (Tue Mar 10 07:28:49 2015)
41.57.23.150 (Tue Mar 10 07:28:52 2015)
41.57.23.150 (Tue Mar 10 07:28:55 2015)
41.57.23.150 (Tue Mar 10 07:28:58 2015)
41.57.23.150 (Tue Mar 10 07:29:01 2015)
41.57.23.150 (Tue Mar 10 07:29:04 2015)
41.57.23.150 (Tue Mar 10 07:29:07 2015)
41.57.23.150 (Tue Mar 10 07:29:10 2015)
41.57.23.150 (Tue Mar 10 07:29:16 2015)
41.57.23.150 (Tue Mar 10 07:29:19 2015)Jemand ne Idee warum diese IP nicht gebannt wurde?
