Thanks guys!, John you can send me a simple filter for fail2ban+SMTP? I tried use the following filters, but this is no sufficient for my yet.
*/etc/fail2ban/filter.d/sendmail.conf*
[Definition] failregex = [<HOST>], reject.*... Relaying denied (User unknown)\n* [<HOST>] badlogin: .* [<HOST>] plaintext .* SASL reject=550 5.7.1 Blocked, look at http://cbl.abuseat.org/lookup.cgi%5C?ip=<HOST> ignoreregex =
*/etc/fail2ban/filter.d/dovecot-pop3imap.conf * [Definition] failregex = pam.*dovecot.*(?:authentication failure).*rhost=(?:::f{4,6}:)?(?P<host>\S*)
With Kind Regards,
Gustavo A. Lacoste Z. CuracautÃn - Chile Skype: knxroot Msn & Gtalk: knx.root [at] gmail.com Home page: http://www.lacosox.org - - *Por favor, evite enviarme documentos adjuntos en formato Word o PowerPoint. Lea http://www.gnu.org/philosophy/no-word-attachments.es.html*
2012/6/15 John Hinton webmaster@ew3d.com
On 6/14/2012 8:58 PM, Gustavo Lacoste wrote:
The problem with my server is: I use it to offer webhosting services.
Some
customers using Outlook are blocked because they use black listed ips
(ips
simply are dynamic).
That is the same problem I am dealing with. You have to set up a dual mailserver system with outbound set to not use the blacklist used on the inbound server or you will block some of your good users who happen to land on a dirty IP address from time to time. The situation is the same with SpamAssassin or any other anti-spam system in place.
Sendmail and Postfix work the same in this regard. And I'm still not certain which one I like the most, after installing Postfix on our last 4 systems. I think the logging from Sendmail is way more logical (easier to comprehend), but maybe that is just because I have been reading those logs for many years.
I would still take a look at Fail2Ban. You need to be very careful with your rules, but it is extremely flexible. You only provided about 30 seconds from your mail log. Fail2ban will look over a much greater time spam and activate whatever blocks you enable or write. I have written blocks based on not passing certain spam tests, such as the Spamhaus RBL (and yes we pay for that service). But I really didn't care for our systems to run the repeated DNS lookups. The rule blocks them at the firewall and over time, the number of blocks has decreased as many spammers have just quit trying. I have rules to block spammers mining for good email addresses (some of our domains were getting 10s of thousands of attempts per day). I also use Fail2Ban for FTP, SMTP and just about every service login, with adjusted numbers of attempts and shorter or longer times based on how the rules might adversely effect one of our actual users. Higher security risk services with low volume use by users, get blocked after fewer failed attempts and for much longer times.
FYI, Spamhaus is blocking around 90% of all our inbound emails as spam. That number should actually be higher, but Fail2Ban does not allow a number of messages in due to the firewall blocks, so those don't get figured in to that total. Spamhaus is perfect in blocking IP addresses that positively were used to send spam, but dynamic addresses do get caught creating some false positives.
-- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos