I have Stunnel receiving email submissions on ports 465 & 587. I’d like
fail2ban to block attempts where the connection is refused by the mail server.
Eg:
2019.04.12 10:16:22 LOG5[4]: Service [ssmtp] accepted connection from
::ffff:185.222.209.224:24846
2019.04.12 10:16:22 LOG3[4]: s_connect: connect ::1:25: Connection refused (61)
2019.04.12 10:16:22 LOG5[4]: s_connect: connected 127.0.0.1:25
2019.04.12 10:16:22 LOG5[4]: Service [ssmtp] connected remote server from
127.0.0.1:54674
2019.04.12 10:16:30 LOG5[3]: Connection closed: 232 byte(s) sent to TLS, 84
byte(s) sent to socket
2019.04.12 10:16:30 LOG5[5]: Service [ssmtp] accepted connection from
::ffff:193.57.40.242:62532
2019.04.12 10:16:31 LOG3[5]: s_connect: connect ::1:25: Connection refused (61)
2019.04.12 10:16:31 LOG5[5]: s_connect: connected 127.0.0.1:25
2019.04.12 10:16:31 LOG5[5]: Service [ssmtp] connected remote server from
127.0.0.1:54681
2019.04.12 10:16:31 LOG5[4]: Connection closed: 232 byte(s) sent to TLS, 70
byte(s) sent to socket
2019.04.12 10:16:42 LOG5[5]: Connection closed: 190 byte(s) sent to TLS, 34
byte(s) sent to socket
2019.04.12 10:16:43 LOG5[6]: Service [ssmtp] accepted connection from
::ffff:193.57.40.242:13878
2019.04.12 10:16:45 LOG3[6]: s_connect: connect ::1:25: Connection refused (61)
2019.04.12 10:16:45 LOG5[6]: s_connect: connected 127.0.0.1:25
2019.04.12 10:16:45 LOG5[6]: Service [ssmtp] connected remote server from
127.0.0.1:54688
2019.04.12 10:16:49 LOG5[6]: Connection closed: 232 byte(s) sent to TLS, 68
byte(s) sent to socket
So in above example I would like fail2ban to ban 185.222.209.224 and
193.57.40.242. Ie the IP is in the line above the ‘Connection refused’ line.
Can someone please help we with a failregex for the stunner filter that would
do this?
Thanks,
James.
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
