Hiya Doug. Good to hear from you. Thanks for the reply. We're all Windows here, so no iptables = no Fail2Ban :( And I don't see a way of getting ASSP's ip lists >automatically< in the hardware firewalls that we use.
The actor is attempting to sign in from at least a couple dozen IP's, strangely using the same external email address as the username. It's >not< one of our domains. Is there a way for ASSP to do an early deny and add the IP to a block based only on the username provided at the smtp auth login time? bombRE and related, seem to go into effect only with the true header/body. SMTP auth isn't in the envelope. Furthermore, I want to ban after even 1 failed try. Setting MaxAUTHErrors to 1 only works once the actor exceeds 1. I don't want them to be able to try a 2nd time. Setting it to 0 disables it. Setting to -1 blocks immediately regardless of success - so that doesn't work, I need users to be able to authenticate on the alternate ports. On Tue, Mar 9, 2021 at 12:02 PM Doug Lytle <supp...@drdos.info> wrote: > >> Summary question: is there a way to immediately ban IP's that try SMTP > auth on a specific port, but not on other ports? Allow SMTP auth on > listenPort2, but immediately ban any IP that fails SMTP auth on port 25? > > I don't think that is currently an option with ASSP, but I currently do > that with fail2ban, since I only auth on 587 > > Doug > > > _______________________________________________ > Assp-test mailing list > Assp-test@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-test >
_______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
