On 2014-12-16 07:20, Mark Constable wrote: ... > > Bonus question, aside from fail2ban, has anyone got any rules for iptables > to block/drop on an OS level any courier-related authdaemon logins and > these port 25 access attempts? >
I used fail2ban some time ago. If you want to block failed authentications you could do something like this: failregex = error,relay\=<HOST>,msg\=\"535 You can test this with: ~# fail2ban-regex -v courier.log "error,relay=<HOST>,msg=\"535" This would match log lines like this: Dec 16 16:44:43 mail courieresmtpd: error,relay=::ffff:91.81.64.210,msg="535 Authentication failed.",cmd: AUTH LOGIN amlt jim It is excellent for server performance and bandwidth to add DROP lines for these in iptables. Look at other forms of failure, such as relaying, dns or error commands too. I guess it might be possible to have some iptables rules that parse the data stream to courier for the response - but is that really more efficient than fail2ban? ~A ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk _______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
