[Users] Help Request: Fail2ban for SASL-Auth Only
Manuel Garbin
manuel at studiostorti.com
Wed Jun 3 07:30:00 CEST 2020
Hi Mark,
here we go whit this regexp:
grep -P 'postfix\/submission\/smtpd\[\d+\]: warning: .*\[(.*)\]: SASL \w+ authentication failed: authentication failure$' /var/log/zimbra.log
This will match only submission port.
On fail2ban you need a new filter with this rule like this :
failregex = postfix\/submission\/smtpd\[\d+\]: warning: .*\[<HOST>\]: SASL \w+ authentication failed: authentication failure$
> Da: "L Mark Stone" <lmstone at lmstone.com>
> A: "users" <users at lists.zetalliance.org>
> Inviato: Martedì, 2 giugno 2020 23:13:54
> Oggetto: [Users] Help Request: Fail2ban for SASL-Auth Only
> Regular expressions are a weak point with me and I've got DoSFilter working just
> fine already.
> What I'm looking to do is implement Fail2ban -- but just for SASL-Auth failures
> on port 587, and leave DoSFilter keeping watch on mailboxd.
> I've looked at a number of older Zimbra-fail2ban web sites, and none of the
> regex's there seem to match what I see in my logs for SASL-Auth failures.
> If anyone has pointers to newer Zimbra fail2ban guides, especially if they work
> with Ubuntu's UFW, I'd be grateful.
> Thanks in advance,
> Mark
> _________________________________________________
> L. Mark Stone
> Mission Critical Email LLC
> mark.stone at missioncriticalemail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zetalliance.org/pipermail/users_lists.zetalliance.org/attachments/20200603/b456df40/attachment.html>
More information about the Users
mailing list