Re: [qmailtoaster] Regex for fail2ban - SMTP DDos

Fri, 06 May 2011 01:32:44 -0700 

So, the regex shows matches when you use fail2ban-regex, but it never takes 
action?

please try the attached patch for fail2ban just in case your version does not 
already incorporate this...

Martin

--
Martin Waschbüsch
IT-Dienstleistungen
Lautensackstr. 16
80687 München

Telefon: +49 89 57005708
Fax: +49 89 57868023
Mobil: +49 170 2189794
serv...@waschbuesch.it
http://www.waschbuesch.it

Attachment: 0002-Tai64N-stores-time-in-GMT-we-need-to-convert-to-loca.patch
Description: Binary data

Am 06.05.2011 um 10:15 schrieb Délsio Cabá:

> Hi, I have even tried with:
> timepattern = tai64n
> 
> and fail2ban simply fails to ban. My Configuration is:
> qmail-smtp.conf
> [Definition]
> failregex = CHKUSER rejected relaying: from <.*:> remote <.*:.*:<HOST>> rcpt 
> <.*> : client not allowed to relay
> 
> jail.conf
> [qmail-smtp]
> enabled = true
> filter = qmail
> action = iptables[name=SMTP, port=smtp, protocol=tcp]
> logpath = /var/log/qmail/smtp/current
> maxretry = 5
> bantime = 3600
> ignoreip = 127.0.0.1
> timepattern = tai64n
> 
> 
> 
> 2011/5/6 Martin Waschbüsch IT-Dienstleistungen <serv...@waschbuesch.it>
> You might try:
> 
> failregex: CHKUSER rejected relaying: from <.*:> remote <.*:.*:<HOST>> rcpt 
> <.*> : client not allowed to relay
> 
> when I did
> 
> fail2ban-regex /var/log/qmail/smtp/current "CHKUSER rejected relaying: from 
> <.*:> remote <.*:.*:<HOST>> rcpt <.*> : client not allowed to relay"
> 
> I got 35 hits.
> 
> Martin
> 
> PS: All I did was to replace variable strings in the log line with wildcard .*
> 
> 
> --
> Martin Waschbüsch
> IT-Dienstleistungen
> Lautensackstr. 16
> 80687 München
> 
> Telefon: +49 89 57005708
> Fax: +49 89 57868023
> Mobil: +49 170 2189794
> serv...@waschbuesch.it
> http://www.waschbuesch.it
> 
> Am 06.05.2011 um 09:07 schrieb Délsio Cabá:
> 
> > Hi all,
> >
> > I agree, but, fail2ban is being used with qmailtoaster as seen on this 
> > guide: 
> > http://wiki.qmailtoaster.com/index.php?title=Fail2Ban&redirect=no&printable=yes
> > But that guide and many others I have found on the net don't include a 
> > regex for my case: "client not allowed to relay"
> > My problem is really to get a valid regex.
> >
> > I will post it on fail2ban mailing list also. But it's important to post 
> > this here also
> >
> > Thanks
> >
> >
> > 2011/5/6 Martin Waschbüsch IT-Dienstleistungen <serv...@waschbuesch.it>
> > That is not true. fail2ban understands tai64n timestamps as used below.
> >
> > Btw., for fail2ban specific questions, it makes more sense to ask on the 
> > fail2ban mailing list. :-)
> >
> > Martin
> >
> > --
> > Martin Waschbüsch
> > IT-Dienstleistungen
> > Lautensackstr. 16
> > 80687 München
> >
> > Telefon: +49 89 57005708
> > Fax: +49 89 57868023
> > Mobil: +49 170 2189794
> > serv...@waschbuesch.it
> > http://www.waschbuesch.it
> >
> > Am 06.05.2011 um 08:58 schrieb Finn Buhelt:
> >
> > > Hi.
> > >
> > > Just out of the head I think it's tricky because fail2ban needs a known 
> > > timestamp to check against, and I cannot recall fail2ban having this 
> > > timestamp listed as valid.
> > >
> > > But as said  -just out of the head.
> > > Regards,
> > > Finn
> > >
> > >
> > >
> > > On 06-05-2011 08:10, Délsio Cabá wrote:
> > >> Hi all
> > >>
> > >> I am getting a lot of DDOS on smtp connection logs:
> > >>
> > >> @400000004dc390330ffb50f4 CHKUSER accepted sender: from 
> > >> <r...@mydomain.com::> remote <demagnify:unknown:173.212.197.14> rcpt <> 
> > >> : sender accepted
> > >> @400000004dc390340c9e201c CHKUSER rejected rcpt: from 
> > >> <r...@mydomain.com::> remote <demagnify:unknown:173.212.197.14> rcpt 
> > >> <m...@zicel.ru> : invalid rcpt MX domain
> > >> ..
> > >> @400000004dc3905511aba4bc CHKUSER accepted sender: from 
> > >> <r...@ns.mozdesigners.com::> remote <byte:unknown:173.212.197.14> rcpt 
> > >> <> : sender accepted
> > >> @400000004dc390562cb394a4 CHKUSER rejected relaying: from 
> > >> <r...@ns.mozdesigners.com::> remote <byte:unknown:173.212.197.14> rcpt 
> > >> <mad...@usc.es> : client not allowed to relay
> > >>
> > >> I need to block this using fail2ban but the regex is quite complex. I 
> > >> have tried this:
> > >> "<HOST>\> rcpt \S+ : client not allowed to relay$"
> > >>
> > >> But it doesn't seam to be working as expected:
> > >> fail2ban-regex /var/log/qmail/smtp/current "<HOST>\> rcpt \S+ : client 
> > >> not allowed to relay"
> > >> ...
> > >> Date template hits:
> > >> 0 hit(s): MONTH Day Hour:Minute:Second
> > >> 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
> > >> 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
> > >> 0 hit(s): Year/Month/Day Hour:Minute:Second
> > >> 0 hit(s): Day/Month/Year Hour:Minute:Second
> > >> 0 hit(s): Day/MONTH/Year:Hour:Minute:Second
> > >> 0 hit(s): Month/Day/Year:Hour:Minute:Second
> > >> 0 hit(s): Year-Month-Day Hour:Minute:Second
> > >> 0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
> > >> 0 hit(s): Day-Month-Year Hour:Minute:Second
> > >> 1184 hit(s): TAI64N
> > >> 0 hit(s): Epoch
> > >> 0 hit(s): ISO 8601
> > >> 0 hit(s): Hour:Minute:Second
> > >> 0 hit(s): <Month/Day/Year@Hour:Minute:Second>
> > >>
> > >> Any help would be very appreciated
> > >> Thanks!
> >
> >
> > ---------------------------------------------------------------------------------
> > Qmailtoaster is sponsored by Vickers Consulting Group 
> > (www.vickersconsulting.com)
> >    Vickers Consulting Group offers Qmailtoaster support and installations.
> >      If you need professional help with your setup, contact them today!
> > ---------------------------------------------------------------------------------
> >     Please visit qmailtoaster.com for the latest news, updates, and 
> > packages.
> >
> >      To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
> >     For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
> >
> >
> >
> 
> 
> ---------------------------------------------------------------------------------
> Qmailtoaster is sponsored by Vickers Consulting Group 
> (www.vickersconsulting.com)
>    Vickers Consulting Group offers Qmailtoaster support and installations.
>      If you need professional help with your setup, contact them today!
> ---------------------------------------------------------------------------------
>     Please visit qmailtoaster.com for the latest news, updates, and packages.
> 
>      To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
>     For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
> 
> 
> 



---------------------------------------------------------------------------------
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
    Vickers Consulting Group offers Qmailtoaster support and installations.
      If you need professional help with your setup, contact them today!
---------------------------------------------------------------------------------
     Please visit qmailtoaster.com for the latest news, updates, and packages.
     
      To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
     For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Reply via email to