Hi Dan. I'm having same attempts - these days it escalates.
They get a 'tcpserver: end 28341 status 256' in the submission log because of vpopmail refusal (I think) so I catch them in the maillog file. (Now I come to think of it one should catch all status 256's and ban them !) I using Fail2ban version 0.8.11 - the latest is 0.9.1 as I recall, but there has been some changes to the settings so I'm still planning to do some testing. Fail2ban is pretty straight forward to install - there is a lot of filters and actions implemented - making Your own filters is doable if You know regex (python based). (I'm also using fail2ban to 'protect' my webservers against attempts of different kinds) - it's not foolproof and the only safety precausion ofcourse but it blocks these irritating ressource demanding intrusion attempts effectively - when they change IP to another country - in my case - 3 strikes and You're out 172800 sec's in my setup no matter the IP address. I'm not an expert but let me know if You have questions and I will answer if I can. This is my entry in jail.conf for this specifically [vpopmail] enabled = true filter = vpopmail action = iptables-allports[name=vpopmail, protocol=tcp] sendmail-whois[name=vpopmail, lines=1, dest=x...@yy.com] logpath = /var/log/maillog maxretry = 3 findtime = 3600 bantime = 172800 This is my filter in filter.d/vpopmail.conf [Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. # Values: TEXT # failregex = vchkpw-smtp: vpopmail user not found .*:<HOST>$ vchkpw-submission: vpopmail user not found .*:<HOST>$ vchkpw-pop3: vpopmail user not found .*:<HOST>$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = This is one of the catches ;-) The IP 218.76.158.162 has just been banned by Fail2Ban after 3 attempts against vpopmail. Here are more information about 218.76.158.162: [Querying whois.apnic.net] [whois.apnic.net] % [whois.apnic.net] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html % Information related to '218.76.144.0 - 218.76.159.255' inetnum: 218.76.144.0 - 218.76.159.255 netname: CHINANET-HN-CZ country: CN descr: CHINANET-HN Chenzhou node network descr: hunan Telecom admin-c: CHC16-AP tech-c: CH636-AP status: ALLOCATED NON-PORTABLE changed: ipaddr...@hntelecom.net.cn 20050914 mnt-by: MAINT-CHINANET-HN mnt-lower: MAINT-CHINANET-HN-CZ source: APNIC role: CHINANET HUNAN address: No.1 TuanJie road,ChangSha,Hunan 410005 country: CN phone: +86 731 4792092 fax-no: +86 731 4792007 e-mail: abuse....@2118.com.cn remarks: send spam reports to abuse....@2118.com.cn remarks: and abuse reports to abuse....@2118.com.cn remarks: Please include detailed information and remarks: times in UTC admin-c: CH632-AP tech-c: CS499-AP nic-hdl: CH636-AP mnt-by: MAINT-CHINANET-HN changed: ipaddr...@hntelecom.net.cn 20050816 changed: hm-chan...@apnic.net 20111114 source: APNIC role: CHINANET HuNan Chenzhou address: No.10 Renming East road,Chenzhou Hunan 423000 country: CN phone: +86 735 2962319 fax-no: +86 735 2262119 e-mail: abuse...@2118.com.cn remarks: send spam reports to spam...@2118.com.cn remarks: and abuse reports to abuse...@2118.com.cn remarks: Please include detailed information and remarks: times in UTC admin-c: CZ347-AP tech-c: CZ347-AP nic-hdl: CHC16-AP notify: ipaddr...@hntelecom.net.cn mnt-by: MAINT-CHINANET-HN-CZ changed: ipaddr...@hntelecom.net.cn 20050818 source: APNIC changed: hm-chan...@apnic.net 20111114 % This query was served by the APNIC Whois Service version 1.69.1-APNICv1r0 (WHOIS3) Regards, Fail2Ban Cheers, Finn Den 07-08-2014 kl. 00:09 skrev Dan McAllister: > I am curious -- has anyone looked into a fail2ban implementation for QMT > > One of my larger mail servers is being attacked (from China, currently, > but when it started in Malaysia and I blocked all malaysian IPs, they > just moved to another IP) with essentially a brute-force password > guessing attack on users in one of the domains. > > They are using the SUBMISSION port to attempt logins, but I'd like to be > able to ban SUBMISSION as well as IMAP/POP access (independently, or > together) based on failed login attempts. (Ideally, same IP fail to > login on any of those ports more than 5 times in a 5 minute period, and > I'd like to simply tar-pit the entire IP address for 24 hours or so!) > > I'm (as amazing as it sounds) not all that familiar with fail2ban, but > I've considered it several times and just never had the time to > investigate. > > Assistance and experiences equally desired! :) > > Dan McAllister > QMT DNS/Mirror Admin > --------------------------------------------------------------------- To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com