[Users] Help Request: Fail2ban for SASL-Auth Only

L Mark Stone lmstone at lmstone.com
Wed Jun 3 15:46:09 CEST 2020 

Hi Manuel,

Mille Grazia!

That is exactly what I was looking for.  Are you OK if I give you and Studio Storti some credit in my upcoming blog post on this subject?

All the best,
Mark
P.S. Please say hello to Paolo, Alberto and Cine for me!

_________________________________________________

L. Mark Stone


________________________________
From: Manuel Garbin <manuel at studiostorti.com>
Sent: Wednesday, June 3, 2020 1:30 AM
To: L Mark Stone <lmstone at lmstone.com>
Cc: users <users at lists.zetalliance.org>
Subject: Re: [Users] Help Request: Fail2ban for SASL-Auth Only

Hi Mark,
here we go whit this regexp:

grep -P 'postfix\/submission\/smtpd\[\d+\]: warning: .*\[(.*)\]: SASL \w+ authentication failed: authentication failure$' /var/log/zimbra.log

This will match only submission port.
On fail2ban you need a new filter with this rule like this :

failregex =  postfix\/submission\/smtpd\[\d+\]: warning: .*\[<HOST>\]: SASL \w+ authentication failed: authentication failure$


________________________________
Da: "L Mark Stone" <lmstone at lmstone.com>
A: "users" <users at lists.zetalliance.org>
Inviato: Martedì, 2 giugno 2020 23:13:54
Oggetto: [Users] Help Request: Fail2ban for SASL-Auth Only
Regular expressions are a weak point with me and I've got DoSFilter working just fine already.

What I'm looking to do is implement Fail2ban -- but just for SASL-Auth failures on port 587, and leave DoSFilter keeping watch on mailboxd.

I've looked at a number of older Zimbra-fail2ban web sites, and none of the regex's there seem to match what I see in my logs for SASL-Auth failures.

If anyone has pointers to newer Zimbra fail2ban guides, especially if they work with Ubuntu's UFW, I'd be grateful.

Thanks in advance,
Mark

_________________________________________________

L. Mark Stone

Mission Critical Email LLC

mark.stone at missioncriticalemail.com


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zetalliance.org/pipermail/users_lists.zetalliance.org/attachments/20200603/a0d508c7/attachment.html>

More information about the Users mailing list