Re: [qmailtoaster] Regex for fail2ban - SMTP DDos
That is not true. fail2ban understands tai64n timestamps as used below. Btw., for fail2ban specific questions, it makes more sense to ask on the fail2ban mailing list. :-) Martin -- Martin Waschbüsch IT-Dienstleistungen Lautensackstr. 16 80687 München Telefon: +49 89 57005708 Fax: +49 89 57868023 Mobil: +49 170 2189794 serv...@waschbuesch.it http://www.waschbuesch.it Am 06.05.2011 um 08:58 schrieb Finn Buhelt: > Hi. > > Just out of the head I think it's tricky because fail2ban needs a known > timestamp to check against, and I cannot recall fail2ban having this > timestamp listed as valid. > > But as said -just out of the head. > Regards, > Finn > > > > On 06-05-2011 08:10, Délsio Cabá wrote: >> Hi all >> >> I am getting a lot of DDOS on smtp connection logs: >> >> @40004dc390330ffb50f4 CHKUSER accepted sender: from >> remote rcpt <> : >> sender accepted >> @40004dc390340c9e201c CHKUSER rejected rcpt: from >> remote rcpt : invalid >> rcpt MX domain >> .. >> @40004dc3905511aba4bc CHKUSER accepted sender: from >> remote rcpt <> : >> sender accepted >> @40004dc390562cb394a4 CHKUSER rejected relaying: from >> remote rcpt >> : client not allowed to relay >> >> I need to block this using fail2ban but the regex is quite complex. I have >> tried this: >> "\> rcpt \S+ : client not allowed to relay$" >> >> But it doesn't seam to be working as expected: >> fail2ban-regex /var/log/qmail/smtp/current "\> rcpt \S+ : client not >> allowed to relay" >> ... >> Date template hits: >> 0 hit(s): MONTH Day Hour:Minute:Second >> 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year >> 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second >> 0 hit(s): Year/Month/Day Hour:Minute:Second >> 0 hit(s): Day/Month/Year Hour:Minute:Second >> 0 hit(s): Day/MONTH/Year:Hour:Minute:Second >> 0 hit(s): Month/Day/Year:Hour:Minute:Second >> 0 hit(s): Year-Month-Day Hour:Minute:Second >> 0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond] >> 0 hit(s): Day-Month-Year Hour:Minute:Second >> 1184 hit(s): TAI64N >> 0 hit(s): Epoch >> 0 hit(s): ISO 8601 >> 0 hit(s): Hour:Minute:Second >> 0 hit(s): >> >> Any help would be very appreciated >> Thanks! - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Regex for fail2ban - SMTP DDos
Hi all, I agree, but, fail2ban is being used with qmailtoaster as seen on this guide: http://wiki.qmailtoaster.com/index.php?title=Fail2Ban&redirect=no&printable=yes But that guide and many others I have found on the net don't include a regex for my case: "client not allowed to relay" My problem is really to get a valid regex. I will post it on fail2ban mailing list also. But it's important to post this here also Thanks 2011/5/6 Martin Waschbüsch IT-Dienstleistungen > That is not true. fail2ban understands tai64n timestamps as used below. > > Btw., for fail2ban specific questions, it makes more sense to ask on the > fail2ban mailing list. :-) > > Martin > > -- > Martin Waschbüsch > IT-Dienstleistungen > Lautensackstr. 16 > 80687 München > > Telefon: +49 89 57005708 > Fax: +49 89 57868023 > Mobil: +49 170 2189794 > serv...@waschbuesch.it > http://www.waschbuesch.it > > Am 06.05.2011 um 08:58 schrieb Finn Buhelt: > > > Hi. > > > > Just out of the head I think it's tricky because fail2ban needs a known > timestamp to check against, and I cannot recall fail2ban having this > timestamp listed as valid. > > > > But as said -just out of the head. > > Regards, > > Finn > > > > > > > > On 06-05-2011 08:10, Délsio Cabá wrote: > >> Hi all > >> > >> I am getting a lot of DDOS on smtp connection logs: > >> > >> @40004dc390330ffb50f4 CHKUSER accepted sender: from > remote rcpt <> : > sender accepted > >> @40004dc390340c9e201c CHKUSER rejected rcpt: from > remote rcpt < > m...@zicel.ru> : invalid rcpt MX domain > >> .. > >> @40004dc3905511aba4bc CHKUSER accepted sender: from > remote rcpt <> > : sender accepted > >> @40004dc390562cb394a4 CHKUSER rejected relaying: from > remote rcpt < > mad...@usc.es> : client not allowed to relay > >> > >> I need to block this using fail2ban but the regex is quite complex. I > have tried this: > >> "\> rcpt \S+ : client not allowed to relay$" > >> > >> But it doesn't seam to be working as expected: > >> fail2ban-regex /var/log/qmail/smtp/current "\> rcpt \S+ : client > not allowed to relay" > >> ... > >> Date template hits: > >> 0 hit(s): MONTH Day Hour:Minute:Second > >> 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year > >> 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second > >> 0 hit(s): Year/Month/Day Hour:Minute:Second > >> 0 hit(s): Day/Month/Year Hour:Minute:Second > >> 0 hit(s): Day/MONTH/Year:Hour:Minute:Second > >> 0 hit(s): Month/Day/Year:Hour:Minute:Second > >> 0 hit(s): Year-Month-Day Hour:Minute:Second > >> 0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond] > >> 0 hit(s): Day-Month-Year Hour:Minute:Second > >> 1184 hit(s): TAI64N > >> 0 hit(s): Epoch > >> 0 hit(s): ISO 8601 > >> 0 hit(s): Hour:Minute:Second > >> 0 hit(s): > >> > >> Any help would be very appreciated > >> Thanks! > > > > - > Qmailtoaster is sponsored by Vickers Consulting Group ( > www.vickersconsulting.com) >Vickers Consulting Group offers Qmailtoaster support and installations. > If you need professional help with your setup, contact them today! > > - > Please visit qmailtoaster.com for the latest news, updates, and > packages. > > To unsubscribe, e-mail: > qmailtoaster-list-unsubscr...@qmailtoaster.com > For additional commands, e-mail: > qmailtoaster-list-h...@qmailtoaster.com > > >
Re: [qmailtoaster] Regex for fail2ban - SMTP DDos
You might try: failregex: CHKUSER rejected relaying: from <.*:> remote <.*:.*:> rcpt <.*> : client not allowed to relay when I did fail2ban-regex /var/log/qmail/smtp/current "CHKUSER rejected relaying: from <.*:> remote <.*:.*:> rcpt <.*> : client not allowed to relay" I got 35 hits. Martin PS: All I did was to replace variable strings in the log line with wildcard .* -- Martin Waschbüsch IT-Dienstleistungen Lautensackstr. 16 80687 München Telefon: +49 89 57005708 Fax: +49 89 57868023 Mobil: +49 170 2189794 serv...@waschbuesch.it http://www.waschbuesch.it Am 06.05.2011 um 09:07 schrieb Délsio Cabá: > Hi all, > > I agree, but, fail2ban is being used with qmailtoaster as seen on this guide: > http://wiki.qmailtoaster.com/index.php?title=Fail2Ban&redirect=no&printable=yes > But that guide and many others I have found on the net don't include a regex > for my case: "client not allowed to relay" > My problem is really to get a valid regex. > > I will post it on fail2ban mailing list also. But it's important to post this > here also > > Thanks > > > 2011/5/6 Martin Waschbüsch IT-Dienstleistungen > That is not true. fail2ban understands tai64n timestamps as used below. > > Btw., for fail2ban specific questions, it makes more sense to ask on the > fail2ban mailing list. :-) > > Martin > > -- > Martin Waschbüsch > IT-Dienstleistungen > Lautensackstr. 16 > 80687 München > > Telefon: +49 89 57005708 > Fax: +49 89 57868023 > Mobil: +49 170 2189794 > serv...@waschbuesch.it > http://www.waschbuesch.it > > Am 06.05.2011 um 08:58 schrieb Finn Buhelt: > > > Hi. > > > > Just out of the head I think it's tricky because fail2ban needs a known > > timestamp to check against, and I cannot recall fail2ban having this > > timestamp listed as valid. > > > > But as said -just out of the head. > > Regards, > > Finn > > > > > > > > On 06-05-2011 08:10, Délsio Cabá wrote: > >> Hi all > >> > >> I am getting a lot of DDOS on smtp connection logs: > >> > >> @40004dc390330ffb50f4 CHKUSER accepted sender: from > >> remote rcpt <> : > >> sender accepted > >> @40004dc390340c9e201c CHKUSER rejected rcpt: from > >> remote rcpt > >> : invalid rcpt MX domain > >> .. > >> @40004dc3905511aba4bc CHKUSER accepted sender: from > >> remote rcpt <> > >> : sender accepted > >> @40004dc390562cb394a4 CHKUSER rejected relaying: from > >> remote rcpt > >> : client not allowed to relay > >> > >> I need to block this using fail2ban but the regex is quite complex. I have > >> tried this: > >> "\> rcpt \S+ : client not allowed to relay$" > >> > >> But it doesn't seam to be working as expected: > >> fail2ban-regex /var/log/qmail/smtp/current "\> rcpt \S+ : client not > >> allowed to relay" > >> ... > >> Date template hits: > >> 0 hit(s): MONTH Day Hour:Minute:Second > >> 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year > >> 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second > >> 0 hit(s): Year/Month/Day Hour:Minute:Second > >> 0 hit(s): Day/Month/Year Hour:Minute:Second > >> 0 hit(s): Day/MONTH/Year:Hour:Minute:Second > >> 0 hit(s): Month/Day/Year:Hour:Minute:Second > >> 0 hit(s): Year-Month-Day Hour:Minute:Second > >> 0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond] > >> 0 hit(s): Day-Month-Year Hour:Minute:Second > >> 1184 hit(s): TAI64N > >> 0 hit(s): Epoch > >> 0 hit(s): ISO 8601 > >> 0 hit(s): Hour:Minute:Second > >> 0 hit(s): > >> > >> Any help would be very appreciated > >> Thanks! > > > - > Qmailtoaster is sponsored by Vickers Consulting Group > (www.vickersconsulting.com) >Vickers Consulting Group offers Qmailtoaster support and installations. > If you need professional help with your setup, contact them today! > - > Please visit qmailtoaster.com for the latest news, updates, and packages. > > To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com > For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com > > > - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Regex for fail2ban - SMTP DDos
Hi, I also do get hits: Date template hits: 0 hit(s): MONTH Day Hour:Minute:Second 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second 0 hit(s): Year/Month/Day Hour:Minute:Second 0 hit(s): Day/Month/Year Hour:Minute:Second 0 hit(s): Day/MONTH/Year:Hour:Minute:Second 0 hit(s): Month/Day/Year:Hour:Minute:Second 0 hit(s): Year-Month-Day Hour:Minute:Second 0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond] 0 hit(s): Day-Month-Year Hour:Minute:Second 5796 hit(s): TAI64N 0 hit(s): Epoch 0 hit(s): ISO 8601 0 hit(s): Hour:Minute:Second 0 hit(s): Success, the total number of match is 134 But they are in TAI64N, isn't that a problem? Will fail2ban be able to get the time from that? 2011/5/6 Martin Waschbüsch IT-Dienstleistungen > You might try: > > failregex: CHKUSER rejected relaying: from <.*:> remote <.*:.*:> rcpt > <.*> : client not allowed to relay > > when I did > > fail2ban-regex /var/log/qmail/smtp/current "CHKUSER rejected relaying: from > <.*:> remote <.*:.*:> rcpt <.*> : client not allowed to relay" > > I got 35 hits. > > Martin > > PS: All I did was to replace variable strings in the log line with wildcard > .* > > > -- > Martin Waschbüsch > IT-Dienstleistungen > Lautensackstr. 16 > 80687 München > > Telefon: +49 89 57005708 > Fax: +49 89 57868023 > Mobil: +49 170 2189794 > serv...@waschbuesch.it > http://www.waschbuesch.it > > Am 06.05.2011 um 09:07 schrieb Délsio Cabá: > > > Hi all, > > > > I agree, but, fail2ban is being used with qmailtoaster as seen on this > guide: > http://wiki.qmailtoaster.com/index.php?title=Fail2Ban&redirect=no&printable=yes > > But that guide and many others I have found on the net don't include a > regex for my case: "client not allowed to relay" > > My problem is really to get a valid regex. > > > > I will post it on fail2ban mailing list also. But it's important to post > this here also > > > > Thanks > > > > > > 2011/5/6 Martin Waschbüsch IT-Dienstleistungen > > That is not true. fail2ban understands tai64n timestamps as used below. > > > > Btw., for fail2ban specific questions, it makes more sense to ask on the > fail2ban mailing list. :-) > > > > Martin > > > > -- > > Martin Waschbüsch > > IT-Dienstleistungen > > Lautensackstr. 16 > > 80687 München > > > > Telefon: +49 89 57005708 > > Fax: +49 89 57868023 > > Mobil: +49 170 2189794 > > serv...@waschbuesch.it > > http://www.waschbuesch.it > > > > Am 06.05.2011 um 08:58 schrieb Finn Buhelt: > > > > > Hi. > > > > > > Just out of the head I think it's tricky because fail2ban needs a known > timestamp to check against, and I cannot recall fail2ban having this > timestamp listed as valid. > > > > > > But as said -just out of the head. > > > Regards, > > > Finn > > > > > > > > > > > > On 06-05-2011 08:10, Délsio Cabá wrote: > > >> Hi all > > >> > > >> I am getting a lot of DDOS on smtp connection logs: > > >> > > >> @40004dc390330ffb50f4 CHKUSER accepted sender: from > remote rcpt <> : > sender accepted > > >> @40004dc390340c9e201c CHKUSER rejected rcpt: from > remote rcpt < > m...@zicel.ru> : invalid rcpt MX domain > > >> .. > > >> @40004dc3905511aba4bc CHKUSER accepted sender: from > remote rcpt <> > : sender accepted > > >> @40004dc390562cb394a4 CHKUSER rejected relaying: from > remote rcpt < > mad...@usc.es> : client not allowed to relay > > >> > > >> I need to block this using fail2ban but the regex is quite complex. I > have tried this: > > >> "\> rcpt \S+ : client not allowed to relay$" > > >> > > >> But it doesn't seam to be working as expected: > > >> fail2ban-regex /var/log/qmail/smtp/current "\> rcpt \S+ : client > not allowed to relay" > > >> ... > > >> Date template hits: > > >> 0 hit(s): MONTH Day Hour:Minute:Second > > >> 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year > > >> 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second > > >> 0 hit(s): Year/Month/Day Hour:Minute:Second > > >> 0 hit(s): Day/Month/Year Hour:Minute:Second > > >> 0 hit(s): Day/MONTH/Year:Hour:Minute:Second > > >> 0 hit(s): Month/Day/Year:Hour:Minute:Second > > >> 0 hit(s): Year-Month-Day Hour:Minute:Second > > >> 0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond] > > >> 0 hit(s): Day-Month-Year Hour:Minute:Second > > >> 1184 hit(s): TAI64N > > >> 0 hit(s): Epoch > > >> 0 hit(s): ISO 8601 > > >> 0 hit(s): Hour:Minute:Second > > >> 0 hit(s): > > >> > > >> Any help would be very appreciated > > >> Thanks! > > > > > > > - > > Qmailtoaster is sponsored by Vickers Consulting Group ( > www.vickersconsulting.com) > >Vickers Consulting Group offers Qmailtoaster support and > installations. > > If you need professional help with your setup, contact them today! > > > - > > Please visit qmailtoaster.com for the latest news, updates, and > packages. > > > > To unsubscribe, e-mail: > qm
Re: [qmailtoaster] Regex for fail2ban - SMTP DDos
On 5/6/2011 9:10 AM, Délsio Cabá wrote: Hi all I am getting a lot of DDOS on smtp connection logs: @40004dc390330ffb50f4 CHKUSER accepted sender: from remote rcpt <> : sender accepted @40004dc390340c9e201c CHKUSER rejected rcpt: from remote rcpt mailto:m...@zicel.ru>> : invalid rcpt MX domain .. @40004dc3905511aba4bc CHKUSER accepted sender: from remote rcpt <> : sender accepted @40004dc390562cb394a4 CHKUSER rejected relaying: from remote rcpt mailto:mad...@usc.es>> : client not allowed to relay I need to block this using fail2ban but the regex is quite complex. I have tried this: "\> rcpt \S+ : client not allowed to relay$" But it doesn't seam to be working as expected: fail2ban-regex /var/log/qmail/smtp/current "\> rcpt \S+ : client not allowed to relay" ... Date template hits: 0 hit(s): MONTH Day Hour:Minute:Second 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second 0 hit(s): Year/Month/Day Hour:Minute:Second 0 hit(s): Day/Month/Year Hour:Minute:Second 0 hit(s): Day/MONTH/Year:Hour:Minute:Second 0 hit(s): Month/Day/Year:Hour:Minute:Second 0 hit(s): Year-Month-Day Hour:Minute:Second 0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond] 0 hit(s): Day-Month-Year Hour:Minute:Second 1184 hit(s): TAI64N 0 hit(s): Epoch 0 hit(s): ISO 8601 0 hit(s): Hour:Minute:Second 0 hit(s): Any help would be very appreciated Thanks! try this failregex = CHKUSER .* <\w*:\w*:> .* : client not allowed to relay$ check it with : fail2ban-regex /var/log/qmail/smtp/current /etc/fail2ban/filters/qmail-smtp-filter.conf -- T. Bogdan Network/Systems Security www.direkt.ro
Re: [qmailtoaster] Regex for fail2ban - SMTP DDos
Hi, I have even tried with: timepattern = tai64n and fail2ban simply fails to ban. My Configuration is: qmail-smtp.conf [Definition] failregex = CHKUSER rejected relaying: from <.*:> remote <.*:.*:> rcpt <.*> : client not allowed to relay jail.conf [qmail-smtp] enabled = true filter = qmail action = iptables[name=SMTP, port=smtp, protocol=tcp] logpath = /var/log/qmail/smtp/current maxretry = 5 bantime = 3600 ignoreip = 127.0.0.1 timepattern = tai64n 2011/5/6 Martin Waschbüsch IT-Dienstleistungen > You might try: > > failregex: CHKUSER rejected relaying: from <.*:> remote <.*:.*:> rcpt > <.*> : client not allowed to relay > > when I did > > fail2ban-regex /var/log/qmail/smtp/current "CHKUSER rejected relaying: from > <.*:> remote <.*:.*:> rcpt <.*> : client not allowed to relay" > > I got 35 hits. > > Martin > > PS: All I did was to replace variable strings in the log line with wildcard > .* > > > -- > Martin Waschbüsch > IT-Dienstleistungen > Lautensackstr. 16 > 80687 München > > Telefon: +49 89 57005708 > Fax: +49 89 57868023 > Mobil: +49 170 2189794 > serv...@waschbuesch.it > http://www.waschbuesch.it > > Am 06.05.2011 um 09:07 schrieb Délsio Cabá: > > > Hi all, > > > > I agree, but, fail2ban is being used with qmailtoaster as seen on this > guide: > http://wiki.qmailtoaster.com/index.php?title=Fail2Ban&redirect=no&printable=yes > > But that guide and many others I have found on the net don't include a > regex for my case: "client not allowed to relay" > > My problem is really to get a valid regex. > > > > I will post it on fail2ban mailing list also. But it's important to post > this here also > > > > Thanks > > > > > > 2011/5/6 Martin Waschbüsch IT-Dienstleistungen > > That is not true. fail2ban understands tai64n timestamps as used below. > > > > Btw., for fail2ban specific questions, it makes more sense to ask on the > fail2ban mailing list. :-) > > > > Martin > > > > -- > > Martin Waschbüsch > > IT-Dienstleistungen > > Lautensackstr. 16 > > 80687 München > > > > Telefon: +49 89 57005708 > > Fax: +49 89 57868023 > > Mobil: +49 170 2189794 > > serv...@waschbuesch.it > > http://www.waschbuesch.it > > > > Am 06.05.2011 um 08:58 schrieb Finn Buhelt: > > > > > Hi. > > > > > > Just out of the head I think it's tricky because fail2ban needs a known > timestamp to check against, and I cannot recall fail2ban having this > timestamp listed as valid. > > > > > > But as said -just out of the head. > > > Regards, > > > Finn > > > > > > > > > > > > On 06-05-2011 08:10, Délsio Cabá wrote: > > >> Hi all > > >> > > >> I am getting a lot of DDOS on smtp connection logs: > > >> > > >> @40004dc390330ffb50f4 CHKUSER accepted sender: from > remote rcpt <> : > sender accepted > > >> @40004dc390340c9e201c CHKUSER rejected rcpt: from > remote rcpt < > m...@zicel.ru> : invalid rcpt MX domain > > >> .. > > >> @40004dc3905511aba4bc CHKUSER accepted sender: from > remote rcpt <> > : sender accepted > > >> @40004dc390562cb394a4 CHKUSER rejected relaying: from > remote rcpt < > mad...@usc.es> : client not allowed to relay > > >> > > >> I need to block this using fail2ban but the regex is quite complex. I > have tried this: > > >> "\> rcpt \S+ : client not allowed to relay$" > > >> > > >> But it doesn't seam to be working as expected: > > >> fail2ban-regex /var/log/qmail/smtp/current "\> rcpt \S+ : client > not allowed to relay" > > >> ... > > >> Date template hits: > > >> 0 hit(s): MONTH Day Hour:Minute:Second > > >> 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year > > >> 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second > > >> 0 hit(s): Year/Month/Day Hour:Minute:Second > > >> 0 hit(s): Day/Month/Year Hour:Minute:Second > > >> 0 hit(s): Day/MONTH/Year:Hour:Minute:Second > > >> 0 hit(s): Month/Day/Year:Hour:Minute:Second > > >> 0 hit(s): Year-Month-Day Hour:Minute:Second > > >> 0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond] > > >> 0 hit(s): Day-Month-Year Hour:Minute:Second > > >> 1184 hit(s): TAI64N > > >> 0 hit(s): Epoch > > >> 0 hit(s): ISO 8601 > > >> 0 hit(s): Hour:Minute:Second > > >> 0 hit(s): > > >> > > >> Any help would be very appreciated > > >> Thanks! > > > > > > > - > > Qmailtoaster is sponsored by Vickers Consulting Group ( > www.vickersconsulting.com) > >Vickers Consulting Group offers Qmailtoaster support and > installations. > > If you need professional help with your setup, contact them today! > > > - > > Please visit qmailtoaster.com for the latest news, updates, and > packages. > > > > To unsubscribe, e-mail: > qmailtoaster-list-unsubscr...@qmailtoaster.com > > For additional commands, e-mail: > qmailtoaster-list-h...@qmailtoaster.com > > > > > > > > > > - > Qmailtoaster is sponsored by Vickers Consulting Grou
Re: [qmailtoaster] Regex for fail2ban - SMTP DDos
Hi, you should get different output. Note that you have 5796 hits for tai64n which means that it recognized that many lines starting with a date / time stamp. There should be a section where it identifies IPs. The important part is a section that looks like this: Results === Failregex |- Regular expressions: | [1] CHKUSER rejected relaying: from <.*:> remote <.*:.*:> rcpt <.*> : client not allowed to relay | `- Number of matches: [1] 35 match(es) If this has matches, then it is matches against your failregex. (35 in my case) my complete output looks like this: snip fail2ban-regex /var/log/qmail/smtp/current "CHKUSER rejected relaying: from <.*:> remote <.*:.*:> rcpt <.*> : client not allowed to relay" Running tests = Use regex line : CHKUSER rejected relaying: from <.*:> remote <.*: Use log file : /var/log/qmail/smtp/current Results === Failregex |- Regular expressions: | [1] CHKUSER rejected relaying: from <.*:> remote <.*:.*:> rcpt <.*> : client not allowed to relay | `- Number of matches: [1] 35 match(es) Ignoreregex |- Regular expressions: | `- Number of matches: Summary === Addresses found: [1] 186.129.200.133 (Sat Apr 30 02:37:49 2011) 186.129.200.133 (Sat Apr 30 02:38:28 2011) 186.129.200.133 (Sat Apr 30 02:38:49 2011) 186.129.200.133 (Sat Apr 30 02:39:11 2011) 190.149.150.115 (Sat Apr 30 04:44:06 2011) 221.5.15.185 (Sat Apr 30 07:39:00 2011) 173.212.197.14 (Sat Apr 30 21:34:53 2011) 2.89.80.14 (Sun May 01 02:38:23 2011) 221.5.15.185 (Sun May 01 02:38:42 2011) 221.5.15.185 (Sun May 01 22:02:30 2011) 178.187.135.228 (Mon May 02 11:26:18 2011) 178.187.135.228 (Mon May 02 11:26:41 2011) 178.187.135.228 (Mon May 02 11:26:58 2011) 178.187.135.228 (Mon May 02 11:27:15 2011) 180.180.236.216 (Mon May 02 14:39:32 2011) 180.180.236.216 (Mon May 02 14:40:08 2011) 180.180.236.216 (Mon May 02 14:40:45 2011) 180.180.236.216 (Mon May 02 14:41:14 2011) 221.5.15.185 (Mon May 02 17:53:03 2011) 123.19.174.69 (Tue May 03 02:02:36 2011) 190.234.85.198 (Tue May 03 02:12:38 2011) 221.5.13.193 (Tue May 03 16:02:05 2011) 178.95.2.102 (Tue May 03 22:30:23 2011) 178.95.2.102 (Tue May 03 22:31:24 2011) 178.95.2.102 (Tue May 03 22:31:55 2011) 178.95.2.102 (Tue May 03 22:32:59 2011) 190.233.69.51 (Wed May 04 01:16:13 2011) 117.2.140.171 (Wed May 04 02:34:00 2011) 88.185.226.159 (Wed May 04 23:42:27 2011) 88.185.226.159 (Wed May 04 23:43:11 2011) 88.185.226.159 (Wed May 04 23:43:37 2011) 88.185.226.159 (Wed May 04 23:44:01 2011) 186.2.3.244 (Thu May 05 03:13:41 2011) 221.5.14.62 (Thu May 05 17:33:45 2011) 190.239.206.8 (Fri May 06 01:24:38 2011) Date template hits: 0 hit(s): Month Day Hour:Minute:Second 0 hit(s): Weekday Month Day Hour:Minute:Second Year 0 hit(s): Weekday Month Day Hour:Minute:Second 0 hit(s): Year/Month/Day Hour:Minute:Second 0 hit(s): Day/Month/Year:Hour:Minute:Second 0 hit(s): Year-Month-Day Hour:Minute:Second 0 hit(s): Day-Month-Year Hour:Minute:Second[.Millisecond] 8502 hit(s): TAI64N 0 hit(s): Epoch Success, the total number of match is 35 However, look at the above section 'Running tests' which could contain important information. snip Hope this helps? Martin -- Martin Waschbüsch IT-Dienstleistungen Lautensackstr. 16 80687 München Telefon: +49 89 57005708 Fax: +49 89 57868023 Mobil: +49 170 2189794 serv...@waschbuesch.it http://www.waschbuesch.it Am 06.05.2011 um 10:08 schrieb Délsio Cabá: > Hi, > I also do get hits: > > Date template hits: > 0 hit(s): MONTH Day Hour:Minute:Second > 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year > 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second > 0 hit(s): Year/Month/Day Hour:Minute:Second > 0 hit(s): Day/Month/Year Hour:Minute:Second > 0 hit(s): Day/MONTH/Year:Hour:Minute:Second > 0 hit(s): Month/Day/Year:Hour:Minute:Second > 0 hit(s): Year-Month-Day Hour:Minute:Second > 0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond] > 0 hit(s): Day-Month-Year Hour:Minute:Second > 5796 hit(s): TAI64N > 0 hit(s): Epoch > 0 hit(s): ISO 8601 > 0 hit(s): Hour:Minute:Second > 0 hit(s): > > Success, the total number of match is 134 > > > But they are in TAI64N, isn't that a problem? Will fail2ban be able to get > the time from that? > > > > 2011/5/6 Martin Waschbüsch IT-Dienstleistungen > You might try: > > failregex: CHKUSER rejected relaying: from <.*:> remote <.*:.*:> rcpt > <.*> : client not allowed to relay > > when I did > > fail2ban-regex /var/log/qmail/smtp/current "CHKUSER rejected relaying: from > <.*:> remote <.*:.*:> rcpt <.*> : client not allowed to relay" > > I got 35 hits. > > Martin > > PS: All I did was to replace variable strings in the log line with wildcard .* > > > -- > Martin Waschbüsch > IT-Dienstleistungen > Lautensackstr. 16 > 80687 München > > Telefon: +49 89 57005708 > Fax: +49 89 57868023 > Mobil: +49 170 21
Re: [qmailtoaster] Regex for fail2ban - SMTP DDos
Hi, Same behavior, it does get some hits, but it doesn't ban. Other fail2ban filters are working except the one from qmail. fail2ban-regex /var/log/qmail/smtp/current /etc/fail2ban/filter.d/qmail-smtp.conf Date template hits: 0 hit(s): MONTH Day Hour:Minute:Second 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second 0 hit(s): Year/Month/Day Hour:Minute:Second 0 hit(s): Day/Month/Year Hour:Minute:Second 0 hit(s): Day/MONTH/Year:Hour:Minute:Second 0 hit(s): Month/Day/Year:Hour:Minute:Second 0 hit(s): Year-Month-Day Hour:Minute:Second 0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond] 0 hit(s): Day-Month-Year Hour:Minute:Second 6347 hit(s): TAI64N 0 hit(s): Epoch 0 hit(s): ISO 8601 0 hit(s): Hour:Minute:Second 0 hit(s): Success, the total number of match is 168 [delsio@ns ~]# fail2ban-client status qmail-smtp Status for the jail: qmail-smtp |- filter | |- File list:/var/log/qmail/smtp/current | |- Currently failed: 0 | `- Total failed: 0 `- action |- Currently banned: 0 | `- IP list: `- Total banned: 0 2011/5/6 Toma Bogdan > On 5/6/2011 9:10 AM, Délsio Cabá wrote: > > Hi all > > I am getting a lot of DDOS on smtp connection logs: > > @40004dc390330ffb50f4 CHKUSER accepted sender: from > remote > rcpt <> : sender accepted > @40004dc390340c9e201c CHKUSER rejected rcpt: from > remote > rcpt : invalid rcpt MX > domain > .. > @40004dc3905511aba4bc CHKUSER accepted sender: from > remote > rcpt <> : sender accepted > @40004dc390562cb394a4 CHKUSER rejected relaying: from > remote > rcpt : client not allowed to > relay > > I need to block this using fail2ban but the regex is quite complex. I have > tried this: > "\> rcpt \S+ : client not allowed to relay$" > > But it doesn't seam to be working as expected: > fail2ban-regex /var/log/qmail/smtp/current "\> rcpt \S+ : client not > allowed to relay" > ... > Date template hits: > 0 hit(s): MONTH Day Hour:Minute:Second > 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year > 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second > 0 hit(s): Year/Month/Day Hour:Minute:Second > 0 hit(s): Day/Month/Year Hour:Minute:Second > 0 hit(s): Day/MONTH/Year:Hour:Minute:Second > 0 hit(s): Month/Day/Year:Hour:Minute:Second > 0 hit(s): Year-Month-Day Hour:Minute:Second > 0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond] > 0 hit(s): Day-Month-Year Hour:Minute:Second > 1184 hit(s): TAI64N > 0 hit(s): Epoch > 0 hit(s): ISO 8601 > 0 hit(s): Hour:Minute:Second > 0 hit(s): > > Any help would be very appreciated > Thanks! > > try this > failregex = CHKUSER .* <\w*:\w*:> .* : client not allowed to relay$ > > check it with : > fail2ban-regex /var/log/qmail/smtp/current > /etc/fail2ban/filters/qmail-smtp-filter.conf > > > -- > T. Bogdan > Network/Systems Securitywww.direkt.ro > >
Re: [qmailtoaster] Regex for fail2ban - SMTP DDos
So, the regex shows matches when you use fail2ban-regex, but it never takes action? please try the attached patch for fail2ban just in case your version does not already incorporate this... Martin -- Martin Waschbüsch IT-Dienstleistungen Lautensackstr. 16 80687 München Telefon: +49 89 57005708 Fax: +49 89 57868023 Mobil: +49 170 2189794 serv...@waschbuesch.it http://www.waschbuesch.it 0002-Tai64N-stores-time-in-GMT-we-need-to-convert-to-loca.patch Description: Binary data Am 06.05.2011 um 10:15 schrieb Délsio Cabá: > Hi, I have even tried with: > timepattern = tai64n > > and fail2ban simply fails to ban. My Configuration is: > qmail-smtp.conf > [Definition] > failregex = CHKUSER rejected relaying: from <.*:> remote <.*:.*:> rcpt > <.*> : client not allowed to relay > > jail.conf > [qmail-smtp] > enabled = true > filter = qmail > action = iptables[name=SMTP, port=smtp, protocol=tcp] > logpath = /var/log/qmail/smtp/current > maxretry = 5 > bantime = 3600 > ignoreip = 127.0.0.1 > timepattern = tai64n > > > > 2011/5/6 Martin Waschbüsch IT-Dienstleistungen > You might try: > > failregex: CHKUSER rejected relaying: from <.*:> remote <.*:.*:> rcpt > <.*> : client not allowed to relay > > when I did > > fail2ban-regex /var/log/qmail/smtp/current "CHKUSER rejected relaying: from > <.*:> remote <.*:.*:> rcpt <.*> : client not allowed to relay" > > I got 35 hits. > > Martin > > PS: All I did was to replace variable strings in the log line with wildcard .* > > > -- > Martin Waschbüsch > IT-Dienstleistungen > Lautensackstr. 16 > 80687 München > > Telefon: +49 89 57005708 > Fax: +49 89 57868023 > Mobil: +49 170 2189794 > serv...@waschbuesch.it > http://www.waschbuesch.it > > Am 06.05.2011 um 09:07 schrieb Délsio Cabá: > > > Hi all, > > > > I agree, but, fail2ban is being used with qmailtoaster as seen on this > > guide: > > http://wiki.qmailtoaster.com/index.php?title=Fail2Ban&redirect=no&printable=yes > > But that guide and many others I have found on the net don't include a > > regex for my case: "client not allowed to relay" > > My problem is really to get a valid regex. > > > > I will post it on fail2ban mailing list also. But it's important to post > > this here also > > > > Thanks > > > > > > 2011/5/6 Martin Waschbüsch IT-Dienstleistungen > > That is not true. fail2ban understands tai64n timestamps as used below. > > > > Btw., for fail2ban specific questions, it makes more sense to ask on the > > fail2ban mailing list. :-) > > > > Martin > > > > -- > > Martin Waschbüsch > > IT-Dienstleistungen > > Lautensackstr. 16 > > 80687 München > > > > Telefon: +49 89 57005708 > > Fax: +49 89 57868023 > > Mobil: +49 170 2189794 > > serv...@waschbuesch.it > > http://www.waschbuesch.it > > > > Am 06.05.2011 um 08:58 schrieb Finn Buhelt: > > > > > Hi. > > > > > > Just out of the head I think it's tricky because fail2ban needs a known > > > timestamp to check against, and I cannot recall fail2ban having this > > > timestamp listed as valid. > > > > > > But as said -just out of the head. > > > Regards, > > > Finn > > > > > > > > > > > > On 06-05-2011 08:10, Délsio Cabá wrote: > > >> Hi all > > >> > > >> I am getting a lot of DDOS on smtp connection logs: > > >> > > >> @40004dc390330ffb50f4 CHKUSER accepted sender: from > > >> remote rcpt <> > > >> : sender accepted > > >> @40004dc390340c9e201c CHKUSER rejected rcpt: from > > >> remote rcpt > > >> : invalid rcpt MX domain > > >> .. > > >> @40004dc3905511aba4bc CHKUSER accepted sender: from > > >> remote rcpt > > >> <> : sender accepted > > >> @40004dc390562cb394a4 CHKUSER rejected relaying: from > > >> remote rcpt > > >> : client not allowed to relay > > >> > > >> I need to block this using fail2ban but the regex is quite complex. I > > >> have tried this: > > >> "\> rcpt \S+ : client not allowed to relay$" > > >> > > >> But it doesn't seam to be working as expected: > > >> fail2ban-regex /var/log/qmail/smtp/current "\> rcpt \S+ : client > > >> not allowed to relay" > > >> ... > > >> Date template hits: > > >> 0 hit(s): MONTH Day Hour:Minute:Second > > >> 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year > > >> 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second > > >> 0 hit(s): Year/Month/Day Hour:Minute:Second > > >> 0 hit(s): Day/Month/Year Hour:Minute:Second > > >> 0 hit(s): Day/MONTH/Year:Hour:Minute:Second > > >> 0 hit(s): Month/Day/Year:Hour:Minute:Second > > >> 0 hit(s): Year-Month-Day Hour:Minute:Second > > >> 0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond] > > >> 0 hit(s): Day-Month-Year Hour:Minute:Second > > >> 1184 hit(s): TAI64N > > >> 0 hit(s): Epoch > > >> 0 hit(s): ISO 8601 > > >> 0 hit(s): Hour:Minute:Second > > >> 0 hit(s): > > >> > > >> Any help would be very appreciated > > >> Thanks! > > > > > > - > > Qmailtoaster is sponsored by Vickers Consulting Group > > (www.vickersconsulting.com) > >Vicker
Re: [qmailtoaster] Regex for fail2ban - SMTP DDos
OK, it definitely is the patch I sent - fail2ban fails to recognize the local time zone you use. This causes times to never fall into the specified period you use for checking if the attempt occurs multiple times. Once you replace date = list(time.gmtime(int(seconds_since_epoch, 16))) with date = list(time.localtime(int(seconds_since_epoch, 16))) in /usr/share/fail2ban/server/datetemplate.py (near end of file), all should be fine. Martin -- Martin Waschbüsch IT-Dienstleistungen Lautensackstr. 16 80687 München Telefon: +49 89 57005708 Fax: +49 89 57868023 Mobil: +49 170 2189794 serv...@waschbuesch.it http://www.waschbuesch.it Am 06.05.2011 um 10:17 schrieb Délsio Cabá: > Hi, > > Same behavior, it does get some hits, but it doesn't ban. Other fail2ban > filters are working except the one from qmail. > > fail2ban-regex /var/log/qmail/smtp/current > /etc/fail2ban/filter.d/qmail-smtp.conf > > Date template hits: > 0 hit(s): MONTH Day Hour:Minute:Second > 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year > 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second > 0 hit(s): Year/Month/Day Hour:Minute:Second > 0 hit(s): Day/Month/Year Hour:Minute:Second > 0 hit(s): Day/MONTH/Year:Hour:Minute:Second > 0 hit(s): Month/Day/Year:Hour:Minute:Second > 0 hit(s): Year-Month-Day Hour:Minute:Second > 0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond] > 0 hit(s): Day-Month-Year Hour:Minute:Second > 6347 hit(s): TAI64N > 0 hit(s): Epoch > 0 hit(s): ISO 8601 > 0 hit(s): Hour:Minute:Second > 0 hit(s): > > Success, the total number of match is 168 > > > [delsio@ns ~]# fail2ban-client status qmail-smtp > Status for the jail: qmail-smtp > |- filter > | |- File list:/var/log/qmail/smtp/current > | |- Currently failed: 0 > | `- Total failed: 0 > `- action >|- Currently banned: 0 >| `- IP list: >`- Total banned: 0 > > > 2011/5/6 Toma Bogdan > On 5/6/2011 9:10 AM, Délsio Cabá wrote: >> Hi all >> >> I am getting a lot of DDOS on smtp connection logs: >> >> @40004dc390330ffb50f4 CHKUSER accepted sender: from >> remote rcpt <> : >> sender accepted >> @40004dc390340c9e201c CHKUSER rejected rcpt: from >> remote rcpt : invalid >> rcpt MX domain >> .. >> @40004dc3905511aba4bc CHKUSER accepted sender: from >> remote rcpt <> : >> sender accepted >> @40004dc390562cb394a4 CHKUSER rejected relaying: from >> remote rcpt >> : client not allowed to relay >> >> I need to block this using fail2ban but the regex is quite complex. I have >> tried this: >> "\> rcpt \S+ : client not allowed to relay$" >> >> But it doesn't seam to be working as expected: >> fail2ban-regex /var/log/qmail/smtp/current "\> rcpt \S+ : client not >> allowed to relay" >> ... >> Date template hits: >> 0 hit(s): MONTH Day Hour:Minute:Second >> 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year >> 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second >> 0 hit(s): Year/Month/Day Hour:Minute:Second >> 0 hit(s): Day/Month/Year Hour:Minute:Second >> 0 hit(s): Day/MONTH/Year:Hour:Minute:Second >> 0 hit(s): Month/Day/Year:Hour:Minute:Second >> 0 hit(s): Year-Month-Day Hour:Minute:Second >> 0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond] >> 0 hit(s): Day-Month-Year Hour:Minute:Second >> 1184 hit(s): TAI64N >> 0 hit(s): Epoch >> 0 hit(s): ISO 8601 >> 0 hit(s): Hour:Minute:Second >> 0 hit(s): >> >> Any help would be very appreciated >> Thanks! > try this > failregex = CHKUSER .* <\w*:\w*:> .* : client not allowed to relay$ > > check it with : > fail2ban-regex /var/log/qmail/smtp/current > /etc/fail2ban/filters/qmail-smtp-filter.conf > > > -- > T. Bogdan > Network/Systems Security > > www.direkt.ro > > > > - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Regex for fail2ban - SMTP DDos
Hi Martin, Instead of applying your patch i just downloaded the latest snapshop, which already has that patch and the behavior is exactly the same: the regex gets the hit but it never blocks the IP. [delsio@ns fail2ban-0.8.4-SVN]# tail -f /var/log/fail2ban.log 2011-05-06 14:07:43,587 fail2ban.actions: INFO Set banTime = 6 2011-05-06 14:07:43,597 fail2ban.jail : INFO Jail 'qmail' started 2011-05-06 14:07:43,602 fail2ban.jail : INFO Jail 'ssh-iptables' started 2011-05-06 14:07:43,607 fail2ban.jail : INFO Jail 'password-fail' started 2011-05-06 14:07:43,616 fail2ban.jail : INFO Jail 'username-notfound' started 2011-05-06 14:07:43,629 fail2ban.jail : INFO Jail 'qmail-smtp' started 2011-05-06 14:07:43,627 fail2ban.actions.action: ERROR iptables -N fail2ban-SSH iptables -A fail2ban-SSH -j RETURN iptables -I INPUT -p tcp --dport ssh -j fail2ban-SSH returned 200 2011-05-06 14:07:43,653 fail2ban.jail : INFO Jail 'named-refused-tcp' started 2011-05-06 14:08:05,672 fail2ban.actions: WARNING [named-refused-tcp] Ban 200.184.124.226 2011-05-06 14:08:05,682 fail2ban.actions: WARNING [named-refused-tcp] Ban 76.76.11.241 2011-05-06 14:08:05,693 fail2ban.actions: WARNING [named-refused-tcp] Ban 67.228.118.3 [delsio@ns etc]# fail2ban-client status qmail-smtp Status for the jail: qmail-smtp |- filter | |- File list:/var/log/qmail/smtp/current | |- Currently failed: 0 | `- Total failed: 0 `- action |- Currently banned: 0 | `- IP list: `- Total banned: 0 Any other recommendation? 2011/5/6 Martin Waschbüsch IT-Dienstleistungen > OK, it definitely is the patch I sent - fail2ban fails to recognize the > local time zone you use. This causes times to never fall into the specified > period you use for checking if the attempt occurs multiple times. > Once you replace > date = list(time.gmtime(int(seconds_since_epoch, 16))) > with > date = list(time.localtime(int(seconds_since_epoch, 16))) > > in /usr/share/fail2ban/server/datetemplate.py (near end of file), all > should be fine. > > Martin > > -- > Martin Waschbüsch > IT-Dienstleistungen > Lautensackstr. 16 > 80687 München > > Telefon: +49 89 57005708 > Fax: +49 89 57868023 > Mobil: +49 170 2189794 > serv...@waschbuesch.it > http://www.waschbuesch.it > > Am 06.05.2011 um 10:17 schrieb Délsio Cabá: > > > Hi, > > > > Same behavior, it does get some hits, but it doesn't ban. Other fail2ban > filters are working except the one from qmail. > > > > fail2ban-regex /var/log/qmail/smtp/current > /etc/fail2ban/filter.d/qmail-smtp.conf > > > > Date template hits: > > 0 hit(s): MONTH Day Hour:Minute:Second > > 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year > > 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second > > 0 hit(s): Year/Month/Day Hour:Minute:Second > > 0 hit(s): Day/Month/Year Hour:Minute:Second > > 0 hit(s): Day/MONTH/Year:Hour:Minute:Second > > 0 hit(s): Month/Day/Year:Hour:Minute:Second > > 0 hit(s): Year-Month-Day Hour:Minute:Second > > 0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond] > > 0 hit(s): Day-Month-Year Hour:Minute:Second > > 6347 hit(s): TAI64N > > 0 hit(s): Epoch > > 0 hit(s): ISO 8601 > > 0 hit(s): Hour:Minute:Second > > 0 hit(s): > > > > Success, the total number of match is 168 > > > > > > [delsio@ns ~]# fail2ban-client status qmail-smtp > > Status for the jail: qmail-smtp > > |- filter > > | |- File list:/var/log/qmail/smtp/current > > | |- Currently failed: 0 > > | `- Total failed: 0 > > `- action > >|- Currently banned: 0 > >| `- IP list: > >`- Total banned: 0 > > > > > > 2011/5/6 Toma Bogdan > > On 5/6/2011 9:10 AM, Délsio Cabá wrote: > >> Hi all > >> > >> I am getting a lot of DDOS on smtp connection logs: > >> > >> @40004dc390330ffb50f4 CHKUSER accepted sender: from > remote rcpt <> : > sender accepted > >> @40004dc390340c9e201c CHKUSER rejected rcpt: from > remote rcpt < > m...@zicel.ru> : invalid rcpt MX domain > >> .. > >> @40004dc3905511aba4bc CHKUSER accepted sender: from > remote rcpt <> > : sender accepted > >> @40004dc390562cb394a4 CHKUSER rejected relaying: from > remote rcpt < > mad...@usc.es> : client not allowed to relay > >> > >> I need to block this using fail2ban but the regex is quite complex. I > have tried this: > >> "\> rcpt \S+ : client not allowed to relay$" > >> > >> But it doesn't seam to be working as expected: > >> fail2ban-regex /var/log/qmail/smtp/current "\> rcpt \S+ : client > not allowed to relay" > >> ... > >> Date template hits: > >> 0 hit(s): MONTH Day Hour:Minute:Second > >> 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year > >> 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second > >> 0 hit(s): Year/Month/Day Hour:Minute:Second > >> 0 hit(s): Day/Month/Year Hour:Minute:Second > >> 0 hit(s): Day/MONTH/Year:Hour:Minute:Second > >> 0 hit(s): Month/Day/Year:Hour:Minute:Second > >> 0 hit(s): Year-Month-Day Hour:Minute:Second > >> 0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond] > >> 0 hit(s): Da
Re: [qmailtoaster] Regex for fail2ban - SMTP DDos
Delsio, perhaps we can take this off the list - email me your qmail-smtp.conf from filters.d and your jail.conf. Once we find what was up, we can still let everyone on the list know the problem & solution Also, if you could add a sample of your /var/log/qmail/smtp/current for me to test with? Thanks, Martin -- Martin Waschbüsch IT-Dienstleistungen Lautensackstr. 16 80687 München Telefon: +49 89 57005708 Fax: +49 89 57868023 Mobil: +49 170 2189794 serv...@waschbuesch.it http://www.waschbuesch.it Am 06.05.2011 um 14:10 schrieb Délsio Cabá: > Hi Martin, > > Instead of applying your patch i just downloaded the latest snapshop, which > already has that patch and the behavior is exactly the same: the regex gets > the hit but it never blocks the IP. > > [delsio@ns fail2ban-0.8.4-SVN]# tail -f /var/log/fail2ban.log > 2011-05-06 14:07:43,587 fail2ban.actions: INFO Set banTime = 6 > 2011-05-06 14:07:43,597 fail2ban.jail : INFO Jail 'qmail' started > 2011-05-06 14:07:43,602 fail2ban.jail : INFO Jail 'ssh-iptables' started > 2011-05-06 14:07:43,607 fail2ban.jail : INFO Jail 'password-fail' started > 2011-05-06 14:07:43,616 fail2ban.jail : INFO Jail 'username-notfound' > started > 2011-05-06 14:07:43,629 fail2ban.jail : INFO Jail 'qmail-smtp' started > 2011-05-06 14:07:43,627 fail2ban.actions.action: ERROR iptables -N > fail2ban-SSH > iptables -A fail2ban-SSH -j RETURN > iptables -I INPUT -p tcp --dport ssh -j fail2ban-SSH returned 200 > 2011-05-06 14:07:43,653 fail2ban.jail : INFO Jail 'named-refused-tcp' > started > 2011-05-06 14:08:05,672 fail2ban.actions: WARNING [named-refused-tcp] Ban > 200.184.124.226 > 2011-05-06 14:08:05,682 fail2ban.actions: WARNING [named-refused-tcp] Ban > 76.76.11.241 > 2011-05-06 14:08:05,693 fail2ban.actions: WARNING [named-refused-tcp] Ban > 67.228.118.3 > > [delsio@ns etc]# fail2ban-client status qmail-smtp > Status for the jail: qmail-smtp > |- filter > | |- File list:/var/log/qmail/smtp/current > | |- Currently failed: 0 > | `- Total failed: 0 > `- action >|- Currently banned: 0 >| `- IP list: >`- Total banned: 0 > > > Any other recommendation? > > 2011/5/6 Martin Waschbüsch IT-Dienstleistungen > OK, it definitely is the patch I sent - fail2ban fails to recognize the local > time zone you use. This causes times to never fall into the specified period > you use for checking if the attempt occurs multiple times. > Once you replace > date = list(time.gmtime(int(seconds_since_epoch, 16))) > with > date = list(time.localtime(int(seconds_since_epoch, 16))) > > in /usr/share/fail2ban/server/datetemplate.py (near end of file), all should > be fine. > > Martin > > -- > Martin Waschbüsch > IT-Dienstleistungen > Lautensackstr. 16 > 80687 München > > Telefon: +49 89 57005708 > Fax: +49 89 57868023 > Mobil: +49 170 2189794 > serv...@waschbuesch.it > http://www.waschbuesch.it > > Am 06.05.2011 um 10:17 schrieb Délsio Cabá: > > > Hi, > > > > Same behavior, it does get some hits, but it doesn't ban. Other fail2ban > > filters are working except the one from qmail. > > > > fail2ban-regex /var/log/qmail/smtp/current > > /etc/fail2ban/filter.d/qmail-smtp.conf > > > > Date template hits: > > 0 hit(s): MONTH Day Hour:Minute:Second > > 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year > > 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second > > 0 hit(s): Year/Month/Day Hour:Minute:Second > > 0 hit(s): Day/Month/Year Hour:Minute:Second > > 0 hit(s): Day/MONTH/Year:Hour:Minute:Second > > 0 hit(s): Month/Day/Year:Hour:Minute:Second > > 0 hit(s): Year-Month-Day Hour:Minute:Second > > 0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond] > > 0 hit(s): Day-Month-Year Hour:Minute:Second > > 6347 hit(s): TAI64N > > 0 hit(s): Epoch > > 0 hit(s): ISO 8601 > > 0 hit(s): Hour:Minute:Second > > 0 hit(s): > > > > Success, the total number of match is 168 > > > > > > [delsio@ns ~]# fail2ban-client status qmail-smtp > > Status for the jail: qmail-smtp > > |- filter > > | |- File list:/var/log/qmail/smtp/current > > | |- Currently failed: 0 > > | `- Total failed: 0 > > `- action > >|- Currently banned: 0 > >| `- IP list: > >`- Total banned: 0 > > > > > > 2011/5/6 Toma Bogdan > > On 5/6/2011 9:10 AM, Délsio Cabá wrote: > >> Hi all > >> > >> I am getting a lot of DDOS on smtp connection logs: > >> > >> @40004dc390330ffb50f4 CHKUSER accepted sender: from > >> remote rcpt <> : > >> sender accepted > >> @40004dc390340c9e201c CHKUSER rejected rcpt: from > >> remote rcpt > >> : invalid rcpt MX domain > >> .. > >> @40004dc3905511aba4bc CHKUSER accepted sender: from > >> remote rcpt <> > >> : sender accepted > >> @40004dc390562cb394a4 CHKUSER rejected relaying: from > >> remote rcpt > >> : client not allowed to relay > >> > >> I need to block this using fail2ban but the regex is quite complex. I have > >> tried this: > >> "\> rcpt \S+ : client not allowed to relay$"
[qmailtoaster] Re: Fail2ban smtp filter
Oh Man,
You were completely right, I didn't do it right.
It's working now:
2011-05-06 17:02:33,100 fail2ban.actions: WARNING [qmail] Ban 173.212.197.14
2011-05-06 17:02:33,100 fail2ban.actions: WARNING [qmail] Ban 173.212.197.17
2011-05-06 17:02:33,100 fail2ban.actions: WARNING [qmail] Ban 173.212.197.10
Thanks very much
2011/5/6 Martin Waschbüsch IT-Dienstleistungen
> Hi there,
>
> I will look into this further, but I noticed this right now:
>
> In filter.d, you have these two files:
>
> qmail.conf
> qmail-smtp.conf
>
> The filename itself (basename), e.g.
> filter.d/XYZ.conf
>
> corresponds to the
> filter = XYZ
> line you use in your jail.conf file:
>
> Consider the last three entires in your jail.conf:
>
> ***snip***
>
> enabled = true
> filter = named-refused
> action = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
> logpath = /var/log/messages
> ignoreip = 196.46.2.236 127.0.0.1 192.168.0.254 196.46.0.0/24 196.0.0.0/24
> maxretry = 10
> bantime = 6
>
> [qmail]
> enabled = true
> filter = qmail
> action = iptables[name=SMTP, port=smtp, protocol=tcp]
> logpath = /var/log/qmail/smtp/current
> maxretry = 5
> bantime = 3600
> ignoreip = 127.0.0.1 196.46.2.236
>
>
> [qmail-smtp]
> enabled = true
> filter = qmail
> action = iptables[name=SMTP, port=smtp, protocol=tcp]
> logpath = /var/log/qmail/smtp/current
> maxretry = 5
> bantime = 3600
> ignoreip = 127.0.0.1 196.46.2.236
>
> ***snip***
>
> These entries use the files:
>
> filter.d/named-refused.conf
> filter.d/qmail.conf
> filter.d/qmail.conf
>
> However, none of your jails uses the qmail-smtp.conf file where you specify
> the 'new' regex in question.
> Also, the 'old' regex in qmail.conf itself is not working (on my system
> that is).
>
> please replace your filter.conf/qmail.conf file with this:
>
> ***snip***
>
> # Fail2Ban configuration file
> #
> # Author: Cyril Jaquier
> #
> # $Revision: 510 $
> #
>
> [Definition]
>
> # Option: failregex
> # Notes.: regex to match the password failures messages in the logfile.
> The
> # host must be matched by a group named "host". The tag ""
> can
> # be used for standard IP/hostname matching and is only an alias
> for
> # (?:::f{4,6}:)?(?P\S+)
> # Values: TEXT
> #
>
> failregex = rblsmtpd: .*: 451 Blocked
>CHKUSER rejected relaying: from <.*:> remote <.*:.*:> rcpt
> <.*> : client not allowed to relay
>
> # Option: ignoreregex
> # Notes.: regex to ignore. If this regex matches, the line is ignored.
> # Values: TEXT
> #
> ignoreregex =
>
> ***snip***
>
> Also, you need one of the two qmail references in your jail.conf file.
>
> I would delete the qmail-smtp section - it is not needed.
>
> Let me know if this helps.
>
> Martin
> --
> Martin Waschbüsch
> IT-Dienstleistungen
> Lautensackstr. 16
> 80687 München
>
> Telefon: +49 89 57005708
> Fax: +49 89 57868023
> Mobil: +49 170 2189794
> serv...@waschbuesch.it
> http://www.waschbuesch.it
>
> Am 06.05.2011 um 15:17 schrieb Délsio Cabá:
>
> >
>
>
Re: [qmailtoaster] Re: whitelist ip in trusted network
> On 05/02/2011 07:24 PM, Rajesh M wrote: >>> On 04/07/2011 11:38 PM, Rajesh M wrote: > On 04/07/2011 05:50 PM, Rajesh M wrote: >> hi >> >> i wish to whitelist a client's server static ip in the spamassasin >> trusted >> network >> >> i am entering the line like this >> >> trusted_networks xxx.yyy >> >> >> if i do this then the email from this server ip should be given a >> negative >> score >> >> but it does not seem to work >> >> reading the wiki it seem that i need to turn the -L switch > > Which wiki page(s) led you to that conclusion? > Which program (spamd?) is the -L switch for? > >> since this was not turned on by default in my qmail toaster >> installation >> i >> would like some information as to any problems that i may face if i >> turn >> on the -L switch >> >> thanks very much >> >> rajesh >> >> - >> Qmailtoaster is sponsored by Vickers Consulting Group >> (www.vickersconsulting.com) >>Vickers Consulting Group offers Qmailtoaster support and >> installations. >> If you need professional help with your setup, contact them >> today! > > > -- > -Eric 'shubes' > > > - > Qmailtoaster is sponsored by Vickers Consulting Group > (www.vickersconsulting.com) > Vickers Consulting Group offers Qmailtoaster support and > installations. > If you need professional help with your setup, contact them > today! > - >Please visit qmailtoaster.com for the latest news, updates, > and > packages. > > To unsubscribe, e-mail: > qmailtoaster-list-unsubscr...@qmailtoaster.com >For additional commands, e-mail: > qmailtoaster-list-h...@qmailtoaster.com > hi eric http://wiki.apache.org/spamassassin/TrustPath the section is: How can I optimize the trusted_networks setting? rajesh - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! >>> >>> I think you misunderstand what it's saying about the -L switch. It's >>> saying that configuring the trust path information is worth >>> configuring, >>> whether or not you use the -L switch (QMT does not). >>> >>> I think you need to describe your *entire* trusted network in the >>> trusted_networks parameter. The wiki says (above): >>> "Generally you want trusted_networks set to contain all the mailservers >>> you control that add Received: headers, and nothing else." >>> >>> HTH. >>> -- >>> -Eric 'shubes' >>> >>> >>> - >>> Qmailtoaster is sponsored by Vickers Consulting Group >>> (www.vickersconsulting.com) >>> Vickers Consulting Group offers Qmailtoaster support and >>> installations. >>>If you need professional help with your setup, contact them >>> today! >>> - >>> Please visit qmailtoaster.com for the latest news, updates, and >>> packages. >>> >>>To unsubscribe, e-mail: >>> qmailtoaster-list-unsubscr...@qmailtoaster.com >>> For additional commands, e-mail: >>> qmailtoaster-list-h...@qmailtoaster.com >>> >>> >>> >> >> eric >> >> thanks for the information but i am still a bit confused on this. >> >> basically i need to whitelist a few external servers IPS who send me >> email >> are totally trusted. >> >> i dont want to put the sender domain in the simscan file since anybody >> can >> forge a domain name. >> >> i tried to put the ips in trusted_network (spamassassin local.cf) but it >> does not work ie a negative score of 50 is not given to email >> >> how do i get this to work ? >> >> rajesh >> >> - > > I don't know SA that well off hand. Is there perhaps a device in between > your trusted server and QMT, such that SA is not seeing/recognizing the > address of the trusted server? > > If the servers who are sending mail are all that trusted, is it possible > to get them to authenticate? If they can authenticate and use port 587, > the messages from them would bypass SA entirely. > > -- > -Eric 'shubes' > > > - > Qmailtoaster is sponsored by Vic
