[Users] Help Request: Fail2ban for SASL-Auth Only
L Mark Stone
lmstone at lmstone.com
Tue Jun 9 19:53:52 CEST 2020
My blog post on using fail2ban and UFW together on Ubuntu for protecting just the Submission port is now up:
https://www.missioncriticalemail.com/2020/06/08/zimbra-fail2ban-for-submission-only/
I hope you find it helpful; please let me know if you have any corrections or suggestions for improvements!
With best regards to all,
Mark
_________________________________________________
L. Mark Stone
Mission Critical Email LLC
________________________________
From: L Mark Stone <lmstone at lmstone.com>
Sent: Wednesday, June 3, 2020 9:46 AM
To: Manuel Garbin <manuel at studiostorti.com>
Cc: users <users at lists.zetalliance.org>
Subject: Re: [Users] Help Request: Fail2ban for SASL-Auth Only
Hi Manuel,
Mille Grazia!
That is exactly what I was looking for. Are you OK if I give you and Studio Storti some credit in my upcoming blog post on this subject?
All the best,
Mark
P.S. Please say hello to Paolo, Alberto and Cine for me!
_________________________________________________
L. Mark Stone
________________________________
From: Manuel Garbin <manuel at studiostorti.com>
Sent: Wednesday, June 3, 2020 1:30 AM
To: L Mark Stone <lmstone at lmstone.com>
Cc: users <users at lists.zetalliance.org>
Subject: Re: [Users] Help Request: Fail2ban for SASL-Auth Only
Hi Mark,
here we go whit this regexp:
grep -P 'postfix\/submission\/smtpd\[\d+\]: warning: .*\[(.*)\]: SASL \w+ authentication failed: authentication failure$' /var/log/zimbra.log
This will match only submission port.
On fail2ban you need a new filter with this rule like this :
failregex = postfix\/submission\/smtpd\[\d+\]: warning: .*\[<HOST>\]: SASL \w+ authentication failed: authentication failure$
________________________________
Da: "L Mark Stone" <lmstone at lmstone.com>
A: "users" <users at lists.zetalliance.org>
Inviato: Martedì, 2 giugno 2020 23:13:54
Oggetto: [Users] Help Request: Fail2ban for SASL-Auth Only
Regular expressions are a weak point with me and I've got DoSFilter working just fine already.
What I'm looking to do is implement Fail2ban -- but just for SASL-Auth failures on port 587, and leave DoSFilter keeping watch on mailboxd.
I've looked at a number of older Zimbra-fail2ban web sites, and none of the regex's there seem to match what I see in my logs for SASL-Auth failures.
If anyone has pointers to newer Zimbra fail2ban guides, especially if they work with Ubuntu's UFW, I'd be grateful.
Thanks in advance,
Mark
_________________________________________________
L. Mark Stone
Mission Critical Email LLC
mark.stone at missioncriticalemail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zetalliance.org/pipermail/users_lists.zetalliance.org/attachments/20200609/4fd7202a/attachment.html>
More information about the Users
mailing list