On 2/16/16 1:47 PM, Andreas Schamanek wrote: > That's great! I wish mine could do this. For now I am only parsing the > logs of OpenSSH, Postfix, Dovecot etc..
Dovecot can do this: http://wiki.dovecot.org/Logging You want: auth_verbose=yes auth_verbose_passwords=sha1 And if you're using Dovecot to handle Postfix SASL authentication, you get the checksums for failed logins on both. We use this for detecting brute force attacks. Unfortunately fail2ban can't handle it directly (at least not with any rule I was able to figure out), so you need something separate to parse the mail logs and count how many different SHA1 checksums an IP address sends per username per unit of time (etc.). -- Robert L Mathews, Tiger Technologies, http://www.tigertech.net/ _______________________________________________ mailop mailing list [email protected] https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
