OT: log spam

Anthony Giggins seven at seven.dorksville.net
Tue Jun 15 06:36:48 IST 2010 

> should have debugged.  action = iptables[name=spam, port=smtp,
> protocol=tcp]
>
> Marc Lucke wrote:
>> for anyone interested who uses fail2ban:
>>
>> # cat filter.d/spam.conf
>> failregex = Message .* from <HOST> .* is spam
>> ignoreregex =
>> # tail -n 8 jail.conf
>> [spam]
>> enabled = true
>> filter = spam
>> maxretry = 1
>> bantime  = 3600
>> action = iptables-multiport[name=spam port="smtp", protocol=tcp]
>>           sendmail-whois[name=spam, dest=root, sender=root]
>> logpath = /var/log/maillog
>>
>> works a treat :)  Thanks John!  I was getting too complicated.

Has anyone got a known working fail2ban config for dovecot Auth failures?

/etc/fail2ban/filter.d/dovecot.conf
[INCLUDES]
before = common.conf
[Definition]
_daemon = dovecot
failregex = dovecot.*authentication failure.*rhost\=<HOST>
ignoreregex =

It seems to pass fail2ban-regex

ie. /usr/bin/fail2ban-regex /var/log/secure.1
/etc/fail2ban/filter.d/dovecot.conf

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/dovecot.conf
Use log file   : /var/log/secure.1


Results
=======

Failregex
|- Regular expressions:
|  [1] dovecot.*authentication failure.*rhost\=<HOST>
|
`- Number of matches:
   [1] 32 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Addresses found:
[1]
    66.207.197.12 (Mon Jun 07 21:31:33 2010)
    66.207.197.12 (Mon Jun 07 21:31:33 2010)
    66.207.197.12 (Mon Jun 07 21:31:33 2010)
    66.207.197.12 (Mon Jun 07 21:31:33 2010)
    66.207.197.12 (Mon Jun 07 21:31:34 2010)
    66.207.197.12 (Mon Jun 07 21:31:34 2010)
    66.207.197.12 (Mon Jun 07 21:31:34 2010)
    66.207.197.12 (Mon Jun 07 21:31:34 2010)
    66.207.197.12 (Mon Jun 07 21:31:34 2010)
    66.207.197.12 (Mon Jun 07 21:31:34 2010)
    41.196.251.149 (Tue Jun 08 12:11:43 2010)
    41.196.251.149 (Tue Jun 08 12:11:43 2010)
    41.196.251.149 (Tue Jun 08 12:11:44 2010)
    41.196.251.149 (Tue Jun 08 12:11:44 2010)
    41.196.251.149 (Tue Jun 08 12:11:44 2010)
    41.196.251.149 (Tue Jun 08 12:11:44 2010)
    41.196.251.149 (Tue Jun 08 12:11:44 2010)
    41.196.251.149 (Tue Jun 08 12:11:44 2010)
    41.196.251.149 (Tue Jun 08 12:11:45 2010)
    41.196.251.149 (Tue Jun 08 12:11:45 2010)
    41.196.251.149 (Tue Jun 08 12:11:45 2010)
    41.196.251.149 (Tue Jun 08 12:11:45 2010)
    41.196.251.149 (Tue Jun 08 12:11:45 2010)
    41.196.251.149 (Tue Jun 08 12:11:45 2010)
    41.196.251.149 (Tue Jun 08 12:11:45 2010)
    41.196.251.149 (Tue Jun 08 12:11:45 2010)
    41.196.251.149 (Tue Jun 08 12:11:45 2010)
    41.196.251.149 (Tue Jun 08 12:11:45 2010)
    41.196.251.149 (Tue Jun 08 12:11:45 2010)
    60.8.11.54 (Tue Jun 08 17:23:06 2010)
    60.8.11.54 (Tue Jun 08 17:23:07 2010)
    60.8.11.54 (Tue Jun 08 17:23:08 2010)

Date template hits:
132 hit(s): Month Day Hour:Minute:Second
0 hit(s): Weekday Month Day Hour:Minute:Second Year
0 hit(s): Weekday Month Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Day-Month-Year Hour:Minute:Second[.Millisecond]
0 hit(s): TAI64N
0 hit(s): Epoch

Success, the total number of match is 32

However, look at the above section 'Running tests' which could contain
important
information.



but I've never seen it block anything :(

Cheers

Anthony

More information about the MailScanner mailing list