centos-bounces@centos.org schrieb am 09.08.2011 10:39:57:

Nikos Gatsis - Qbit ngatsis@qbit.gr Gesendet von: centos-bounces@centos.org

09.08.2011 10:40

Bitte antworten an CentOS mailing list centos@centos.org

An

centos@centos.org

Kopie

Thema

[CentOS] fail2ban help

Hello list. I have a question for fail2ban for bad logins on sasl. I use sasl, sendmail and cyrus-imapd. In jail.conf I use the following syntax:

[sasl-iptables]

enabled = true filter = sasl backend = polling action = iptables[name=sasl, port=smtp, protocol=tcp] sendmail-whois[name=sasl, dest=my@email] logpath = /var/log/maillog maxretry = 6

and the following filter:

failregex = (?i): warning: [-._\w]+[<HOST>]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$

in iptables:

fail2ban-sasl tcp -- anywhere anywhere tcp dpt:smtp ...

Chain fail2ban-sasl (2 references) target prot opt source destination RETURN all -- anywhere anywhere

The problem is that never ban bad logins.

I tried to change action as port="imap,imaps,pop3,pop3s,smtp" but nothing change.

Can somebody help me?

Thank you, Nikos

---

CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos

Hello Nikos, I have nearly the same regex as you:

failregex = : warning: [-._\w]+[<HOST>]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed.* and it works with fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/sasl.conf

Gruß Andreas Reschke ________________________________________________________________

Unix/Linux-Administration Andreas.Reschke@behrgroup.com