This is semi-hypothetical ... I often see spews of failed connect attempts logged by postscreen:
Sep 12 11:13:09 minbar postfix/postscreen[9238]: CONNECT from [70.39.115.203]:54708 to [10.24.32.15]:25 Sep 12 11:13:09 minbar postfix/postscreen[9238]: PREGREET 14 after 0.12 from [70.39.115.203]:54708: EHLO ylmf-pc\r\n Sep 12 11:13:10 minbar postfix/postscreen[9238]: HANGUP after 0.24 from [70.39.115.203]:54708 in tests after SMTP handshake Sep 12 11:13:10 minbar postfix/postscreen[9238]: DISCONNECT [70.39.115.203]:54708 Sep 12 11:13:10 minbar postfix/postscreen[9238]: CONNECT from [70.39.115.203]:54865 to [10.24.32.15]:25 Sep 12 11:13:10 minbar postfix/postscreen[9238]: PREGREET 14 after 0.12 from [70.39.115.203]:54865: EHLO ylmf-pc\r\n Sep 12 11:13:10 minbar postfix/postscreen[9238]: HANGUP after 0.24 from [70.39.115.203]:54865 in tests after SMTP handshake Sep 12 11:13:10 minbar postfix/postscreen[9238]: DISCONNECT [70.39.115.203]:54865 and so on. It would be nice to be able to automatically block these IPs temporarily, and that's what fail2ban does. However, I think fail2ban makes the assumption that the firewall in use is iptables and that it's running on the same host. My firewall is in front of all the internal servers, and runs shorewall as a front-end to iptables. Has anyone set up fail2ban to trigger from postscreen rejections and apply blocks to a firewall on a separate host? And if so, any tips to share? -- Phil Stracchino Babylon Communications ph...@caerllewys.net p...@co.ordinate.org Landline: +1.603.293.8485 Mobile: +1.603.998.6958
