mirror of https://github.com/fail2ban/fail2ban
Daniel Black
11 years ago
parent
9be22a96a6
commit
3d776afbb0
@ -0,0 +1,18 @@
|
||||
# Fail2Ban filter for sendmail authentication failures
|
||||
#
|
||||
|
||||
[INCLUDES]
|
||||
|
||||
before = common.conf
|
||||
|
||||
[Definition]
|
||||
|
||||
_daemon = (?:sm-(mta|acceptingconnections))
|
||||
|
||||
failregex = ^%(__prefix_line)s\w{14}: (\S+ )?\[<HOST>\]( \(may be forged\))?: possible SMTP attack: command=AUTH, count=\d+$
|
||||
|
||||
ignoreregex =
|
||||
|
||||
# DEV Notes:
|
||||
#
|
||||
# Author: Daniel Black
|
||||
@ -0,0 +1,33 @@
|
||||
# Fail2Ban filter for sendmail spam/relay type failures
|
||||
#
|
||||
# Some of the below failregex will only work properly, when the following
|
||||
# options are set in the .mc file (see your Sendmail documentation on how
|
||||
# to modify it and generate the corresponding .cf file):
|
||||
#
|
||||
# FEATURE(`delay_checks')
|
||||
# FEATURE(`greet_pause', `500')
|
||||
# FEATURE(`ratecontrol', `nodelay', `terminate')
|
||||
# FEATURE(`conncontrol', `nodelay', `terminate')
|
||||
#
|
||||
# ratecontrol and conncontrol also need corresponding options ClientRate:
|
||||
# and ClientConn: in the access file, see documentation for ratecontrol and
|
||||
# conncontrol in the sendmail/cf/README file.
|
||||
|
||||
[INCLUDES]
|
||||
|
||||
before = common.conf
|
||||
|
||||
[Definition]
|
||||
|
||||
_daemon = (?:sm-(mta|acceptingconnections))
|
||||
|
||||
failregex = ^%(__prefix_line)s\w{14}: ruleset=check_rcpt, arg1=(?P<email>(<\S+@\S+>)?), relay=(\S+ )?\[<HOST>\]( \(may be forged\))?, reject=550 5\.7\.1 (?P=email)\.\.\. Relaying denied\. (IP name possibly forged \[(\d+\.){3}\d+\]|Proper authentication required\.)$
|
||||
^%(__prefix_line)s\w{14}: ruleset=check_rcpt, arg1=, relay=(\S+ )?\[<HOST>\]( \(may be forged\))?, reject=(553 5\.1\.8 \.\.\. Domain of sender address \S+ does not exist|550 5\.7\.1 \.\.\. Rejected: (\d+\.){3}\d+\ listed at \S+)$
|
||||
^%(__prefix_line)sruleset=check_relay, arg1=(?P<dom>\S+), arg2=<HOST>, relay=(?P=dom) \[(\d+\.){3}\d+\]( \(may be forged\))?, reject=421 4\.3\.2 Connection rate limit exceeded\.$
|
||||
|
||||
|
||||
ignoreregex =
|
||||
|
||||
# DEV Notes:
|
||||
#
|
||||
# Author: Daniel Black and Fabian Wenk
|
||||
@ -0,0 +1,12 @@
|
||||
|
||||
# failJSON: { "time": "2005-02-16T23:33:20", "match": true , "host": "190.5.230.178" }
|
||||
Feb 16 23:33:20 smtp1 sm-mta[5133]: s1GNXHYB005133: [190.5.230.178]: possible SMTP attack: command=AUTH, count=5
|
||||
|
||||
# failJSON: { "time": "2005-02-16T23:40:36", "match": true , "host": "75.176.164.191" }
|
||||
Feb 16 23:40:36 smtp1 sm-mta[5178]: s1GNeNqe005178: cpe-075-176-164-191.sc.res.rr.com [75.176.164.191]: possible SMTP attack: command=AUTH, count=5
|
||||
|
||||
# failJSON: { "time": "2005-02-24T12:10:15", "match": true , "host": "211.75.6.133" }
|
||||
Feb 24 12:10:15 kismet sm-acceptingconnections[32053]: s1OHA28u032053: 211-75-6-133.HINET-IP.hinet.net [211.75.6.133]: possible SMTP attack: command=AUTH, count=6
|
||||
|
||||
# failJSON: { "time": "2005-02-24T13:00:17", "match": true , "host": "95.70.241.192" }
|
||||
Feb 24 13:00:17 kismet sm-acceptingconnections[1499]: s1OHxxSn001499: 192.241.70.95.dsl.static.turk.net [95.70.241.192] (may be forged): possible SMTP attack: command=AUTH, count=6
|
||||
@ -0,0 +1,24 @@
|
||||
# failJSON: { "time": "2005-02-25T03:01:10", "match": true , "host": "128.68.136.133" }
|
||||
Feb 25 03:01:10 kismet sm-acceptingconnections[27713]: s1P819mk027713: ruleset=check_rcpt, arg1=, relay=128-68-136-133.broadband.corbina.ru [128.68.136.133], reject=550 5.7.1 ... Relaying denied. Proper authentication required.
|
||||
|
||||
# failJSON: { "time": "2005-02-23T21:36:14", "match": true , "host": "80.253.155.119" }
|
||||
Feb 23 21:36:14 petermurray sm-mta[22248]: s1NLaDQT022248: ruleset=check_rcpt, arg1=<dautareuk2@hotmail.it>, relay=int0.client.access.azadnet.net [80.253.155.119] (may be forged), reject=550 5.7.1 <dautareuk2@hotmail.it>... Relaying denied. IP name possibly forged [80.253.155.119]
|
||||
|
||||
# failJSON: { "time": "2005-02-24T07:33:59", "match": true , "host": "118.161.66.57" }
|
||||
Feb 24 07:33:59 petermurray sm-mta[21134]: s1O7XtZJ021134: ruleset=check_rcpt, arg1=<sanjinn232@yahoo.com.tw>, relay=118-161-66-57.dynamic.hinet.net [118.161.66.57], reject=550 5.7.1 <sanjinn232@yahoo.com.tw>... Relaying denied. Proper authentication required.
|
||||
|
||||
# failJSON: { "time": "2005-02-23T07:57:28", "match": true , "host": "2.180.185.27" }
|
||||
Feb 23 07:57:28 petermurray sm-mta[6519]: s1N7vR47006519: ruleset=check_rcpt, arg1=, relay=[2.180.185.27], reject=553 5.1.8 ... Domain of sender address camila.pinto@andrewweitzman.com does not exist
|
||||
|
||||
# failJSON: { "time": "2005-02-23T14:13:08", "match": true , "host": "85.60.238.161" }
|
||||
Feb 23 14:13:08 petermurray sm-mta[17126]: s1NED81M017126: ruleset=check_rcpt, arg1=, relay=161.pool85-60-238.dynamic.orange.es [85.60.238.161], reject=553 5.1.8 ... Domain of sender address anabelaalvesd@dsldevice.lan does not exist
|
||||
|
||||
# failJSON: { "time": "2005-02-24T05:07:40", "match": true , "host": "202.53.73.138" }
|
||||
Feb 24 05:07:40 petermurray sm-mta[716]: s1O57c6H000716: ruleset=check_rcpt, arg1=, relay=202.53.73.138.nettlinx.com [202.53.73.138] (may be forged), reject=553 5.1.8 ... Domain of sender address root@srv.montserv.com does not exist
|
||||
|
||||
# failJSON: { "time": "2005-02-23T07:00:08", "match": true , "host": "151.232.63.226" }
|
||||
Feb 23 07:00:08 petermurray sm-mta[3992]: s1N706jo003992: ruleset=check_rcpt, arg1=, relay=[151.232.63.226], reject=550 5.7.1 ... Rejected: 151.232.63.226 listed at sbl-xbl.spamhaus.org
|
||||
|
||||
# failJSON: { "time": "2005-02-24T01:46:44", "match": true , "host": "217.21.54.82" }
|
||||
Feb 24 01:46:44 petermurray sm-mta[24422]: ruleset=check_relay, arg1=leased-line-54-82.telecom.by, arg2=217.21.54.82, relay=leased-line-54-82.telecom.by [217.21.54.82], reject=421 4.3.2 Connection rate limit exceeded.
|
||||
|
||||
Loading…
Reference in new issue