Need help with fail2ban regex
Running Debian Etch with Postfix and Courier.
I get these at least daily: Code:
Dec 3 04:53:33 mail4 postfix/smtpd[17647]: warning: SASL authentication failure: no secret in database Code:
failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed$ |
Extra Info:
Solution for Postfix with Postgres: SASL error: authentication failed: authentication failure _ |
My setup is correct (mysql and not postgres anyway).
These are "hack" attempts. They attempt to log in with different names and dictionary passwords. I'd like to get fail2ban to block these, since they happen daily. |
|
Okay - thanks for that. This is for POP3, not SSH.
It does look to be distributed attacks since the IP changes all the time, but the method is always the same. They try to access a POP account using common names like "admin@domain.com" or "apache@domain.com" and a dictionary password. I'd like to stop them - I have fail2ban installed and it will do so, if I can only get my regex to match. That's what I need help with. |
Can't you use something simple like "SASL.*authentication fail(ed|ure)$" ?
|
Is your jail.conf configured for POP3:
Quote:
_ |
All times are GMT -5. The time now is 03:03 PM. |