Filters are indeed the way to go.
I'm personally using a reporter to log failed authentications which I'm
feeding to fail2ban to block.
https://github.com/whataboutpereira/filter-auth
Good luck
Reio
On 22.06.2022 20:56, Pete wrote:
Hi,
the best is probably to implement a custom report ing filter that fits you
needs.
http://man.openbsd.org/man7/smtpd-filters.7
Hi,
i would like to use crowdsec to evaluate my mail logs. My current idea is to
block all users that try to login on port 25
```
smtp connected address=43.zzz.yy.xx host=<unknown>
smtp failed-command command="AUTH LOGIN" result="503 5.5.1 Invalid command: Command
not supported"
```
So the trigger is line 2 but the ip address is in line 1
Unfortunately there seems to be no way for crowdsec parser to evaluate 2 lines
Is there any chance or idea how I could change the logs to include the address
in line 2
Regards
Hagen Bauer