[CentOS] Antwort: fail2ban help

Andreas Reschke Andreas.Reschke at behrgroup.com
Tue Aug 9 08:52:06 UTC 2011


centos-bounces at centos.org schrieb am 09.08.2011 10:39:57:

> Nikos Gatsis - Qbit <ngatsis at qbit.gr> 
> Gesendet von: centos-bounces at centos.org
> 
> 09.08.2011 10:40
> 
> Bitte antworten an
> CentOS mailing list <centos at centos.org>
> 
> An
> 
> centos at centos.org
> 
> Kopie
> 
> Thema
> 
> [CentOS] fail2ban help
> 
> Hello list.
> I have a question for fail2ban for bad logins on sasl.
> I use sasl, sendmail and cyrus-imapd.
> In jail.conf I use the following syntax:
> 
> [sasl-iptables]
> 
> enabled  = true
> filter   = sasl
> backend  = polling
> action   = iptables[name=sasl, port=smtp, protocol=tcp]
>            sendmail-whois[name=sasl, dest=my at email]
> logpath  = /var/log/maillog
> maxretry = 6
> 
> and the following filter:
> 
> failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL
> (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:
> [A-Za-z0-9+/]*={0,2})?$
> 
> in iptables:
> 
> fail2ban-sasl  tcp  --  anywhere             anywhere            tcp
> dpt:smtp
> ...
> 
> Chain fail2ban-sasl (2 references)
> target     prot opt source               destination
> RETURN     all  --  anywhere             anywhere
> 
> 
> The problem is that never ban bad logins.
> 
> I tried to change action as port="imap,imaps,pop3,pop3s,smtp" but
> nothing change.
> 
> Can somebody help me?
> 
> Thank you,
> Nikos
> 
> 
> 
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos

Hello Nikos,
I have nearly the same regex as you:

failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed.*
and it works with
fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/sasl.conf
 
 
Gruß 
Andreas Reschke
________________________________________________________________

Unix/Linux-Administration
Andreas.Reschke at behrgroup.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20110809/47560e1e/attachment.html>


More information about the CentOS mailing list