On 30-Jun-2010, at 14:26, Danilo Godec wrote: > Since we were victim of a massive SMTP DOS (still in progress, > actually), I added these USERDEF_FAILED_ENTRY_REGEX's to stop it: > >> SSHD_FORMAT_REGEX=.* (sshd.*:|\[sshd\]|postfix.*\[\d+\]:) (?P<message>.*) >> >> # mail flood >> USERDEF_FAILED_ENTRY_REGEX=.*warning: Recipient address rate limit >> exceeded: \d+ from (?P<user>.*)\[(?P<host>.*)\] for service smtp >> USERDEF_FAILED_ENTRY_REGEX=.*warning: Connection rate limit exceeded: >> \d+ from (?P<user>.*)\[(?P<host>.*)\] for service smtp >> USERDEF_FAILED_ENTRY_REGEX=.*NOQUEUE: reject: RCPT from >> .*\[(?P<host>.*)\]: .*Relay access denied.*to=\<(?P<user>.*)\> .* > > It seems to work nicely - it blocked over 300 SMTP flooding hosts in > last 10 minutes.
Where did you add them, just in the .conf? I think this would be shorter and replace the first two defs. USERDEF_FAILED_ENTRY_REGEX=.*rate limit exceeded: \d+ from (?P<user>.*)\[(?P<host>.*)\] I've though about doing something like this, but I am unsure about which banlist rules apply, and my rules for ssh attempts are very harsh (since pretty much no one should be logging in without a key exchange). -- I have a cunning plan. ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Denyhosts-user mailing list Denyhosts-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/denyhosts-user