* Bob via Postfix-users:
> I realise stuff like failtoban is available but when I look at it the
> wrong way, or in any way, it falls over and it only looks at logfiles
> every so often [...]
I found fail2ban not to my taste, so like you I searched for possible
alternatives. I finally came to terms with the prospect of having to
write my own custom software if I wanted maximum control in a small,
reasonably robust package. Also, I was looking for ideas for a Golang
based software project at that time.
Anyway, the idea was to have 1..n processes monitor existing syslog
output files like /var/log/{mail,dovecot} by way of detecting any
changes event-based, read the latest log file additions, and scan them
using regular expressions. This means that I can detect a failed
authentication attempt within seconds, extract the source IP address,
and further process it however I want.
This approach felt about as basic as I could get. There is no scheduler
or master process involved, and I use cron jobs and logrotate hooks to
(re)start monitoring processes as necessary, with a little bit of bash
scripting added as wrappers. Perhaps it can serve as an idea for your
own solution. Continuously observing the log files, sans interaction
with existing software, seemed the easiest road to take.
-Ralph
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
