Can sasl/sendmail Report IP Of Failed Access?
I am seeing login dictionary attacks on a FreeBSD mail server being reported. Is there a way to determine the IPs that are doing this so they can be blocked at the firewall? auth.log only notes the attempted user name, not the IP of origin. -- --- Tim Daneliuk ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Can sasl/sendmail Report IP Of Failed Access?
On Jun 4, 2013 9:00 AM, Tim Daneliuk tun...@tundraware.com wrote: I am seeing login dictionary attacks on a FreeBSD mail server being reported. Is there a way to determine the IPs that are doing this so they can be blocked at the firewall? auth.log only notes the attempted user name, not the IP of origin. -- --- Tim Daneliuk ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org On Jun 4, 2013 9:00 AM, Tim Daneliuk tun...@tundraware.com wrote: I am seeing login dictionary attacks on a FreeBSD mail server being reported. Is there a way to determine the IPs that are doing this so they can be blocked at the firewall? auth.log only notes the attempted user name, not the IP of origin. -- --- Tim Daneliuk ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org one idea is to run auth on a different service / machine on a non-standard port, that at least cuts down the noise from non-targetted scans. Waitman Gobble San Jose California USA ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Can sasl/sendmail Report IP Of Failed Access?
On Tue, 04 Jun 2013 10:47:16 -0500, Tim Daneliuk tun...@tundraware.com wrote: I am seeing login dictionary attacks on a FreeBSD mail server being reported. Is there a way to determine the IPs that are doing this so they can be blocked at the firewall? auth.log only notes the attempted user name, not the IP of origin. I don't use sendmail, but aren't the login attempts at least logged in maillog as well? If so, you could use fail2ban to ban them. We do this with postfix/exim/dovecot/etc. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Can sasl/sendmail Report IP Of Failed Access?
On 4 June 2013, at 08:47, Tim Daneliuk tun...@tundraware.com wrote: I am seeing login dictionary attacks on a FreeBSD mail server being reported. Is there a way to determine the IPs that are doing this so they can be blocked at the firewall? auth.log only notes the attempted user name, not the IP of origin. -- I wrote some code to find the appropriate maillog entries which do include the IP addresses. It automagically adds the IP addresses to the pf blackhole table if certain criteria is met. The criteria is changeable. If you would like a copy, let me know. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Can sasl/sendmail Report IP Of Failed Access?
On 06/04/2013 04:51 PM, Doug Hardie wrote: On 4 June 2013, at 08:47, Tim Daneliuk tun...@tundraware.com wrote: I am seeing login dictionary attacks on a FreeBSD mail server being reported. Is there a way to determine the IPs that are doing this so they can be blocked at the firewall? auth.log only notes the attempted user name, not the IP of origin. -- I wrote some code to find the appropriate maillog entries which do include the IP addresses. It automagically adds the IP addresses to the pf blackhole table if certain criteria is met. The criteria is changeable. If you would like a copy, let me know. Yes, I'd love a look at that, thanks. -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Can sasl/sendmail Report IP Of Failed Access?
On Tue, 4 Jun 2013, Doug Hardie wrote: On 4 June 2013, at 08:47, Tim Daneliuk tun...@tundraware.com wrote: I am seeing login dictionary attacks on a FreeBSD mail server being reported. Is there a way to determine the IPs that are doing this so they can be blocked at the firewall? auth.log only notes the attempted user name, not the IP of origin. -- I wrote some code to find the appropriate maillog entries which do include the IP addresses. It automagically adds the IP addresses to the pf blackhole table if certain criteria is met. The criteria is changeable. If you would like a copy, let me know. That sounds incredibly useful. Can you post it somewhere? -- Chris Hill ch...@monochrome.org ** [ Busy Expunging / ] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Can sasl/sendmail Report IP Of Failed Access?
On Tue, 4 Jun 2013, Tim Daneliuk wrote: On 06/04/2013 04:51 PM, Doug Hardie wrote: On 4 June 2013, at 08:47, Tim Daneliuk tun...@tundraware.com wrote: I am seeing login dictionary attacks on a FreeBSD mail server being reported. Is there a way to determine the IPs that are doing this so they can be blocked at the firewall? auth.log only notes the attempted user name, not the IP of origin. -- I wrote some code to find the appropriate maillog entries which do include the IP addresses. It automagically adds the IP addresses to the pf blackhole table if certain criteria is met. The criteria is changeable. If you would like a copy, let me know. Yes, I'd love a look at that, thanks. sshguard is supposed to be capable of analyzing log files beyond just ssh. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
