As an addendum to below, here are examples from my log files I want to filter:
Sep 1 21:44:46 hst postfix/smtpd[28571]: connect from unknown[101.89.216.243]
Sep 1 21:44:51 hst postfix/smtpd[28571]: warning:
unknown[101.89.216.243]: SASL LOGIN authentication failed: UGFje8vcmQ6
What port is this being conducted on?
Is this smtp port 25?
Or is this on 3659? Which appears to be the SASL port when looked up online.
I assume if this type of authentication is happening on smtp/25 then
I won't be able to use f2b or iptables to stop the logins without
stopping regular smtp traffic from the ipspace?
This is a general security/ports question.
Is there a way to allow incoming SMTP mail traffic but block
attempts to use SMTP AUTH (obviously as a way to probe or brute
force logins)? Are these separate ports or the same? (i.e. if I
block port 25, do I stop dovecot login attempts but also block any
inbound mail? Or are there separate ports in place?)
I'm wondering if it is possible to allow, for example, mail to
originate from a foreign IP space, but not allow that same IP space
to attempt to login via smtp auth to check for user
accounts. Obviously, I can block imap and pop3 ports, but it looks
like there are some additional ports, like 25 that may serve dual
purpose? Allowing incoming mail, but also allowing login
attempts? Is there a way to allow one and block the other?
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
