spamdyke won't log the IP in its current version, but it wouldn't be hard to add. If you want a quick'n'dirty solution right away, you can add it very easily... just edit exec.c and change line 206 to this: SPAMDYKE_LOG_VERBOSE(current_settings, LOG_VERBOSE_AUTH_FAILURE "%s %s", username, current_settings->server_ip); Then recompile and replace the spamdyke binary with the new copy. Once it's in place, the "authentication failure" messages should show the IP address right after the username, separated by a space. (NOTE: I haven't compiled or tested this change, proceed with caution...)
-- Sam Clippinger On Jul 22, 2016, at 6:17 PM, Gary Gendel via spamdyke-users <spamdyke-users@spamdyke.org> wrote: > Sam, > > Is there a way to get spamdyke to log invalid authorizations in a manner that > fail2ban can use? My host has been hit continuously with brute-force > attacks. Unfortunately, the logs only have: > > Jul 22 18:54:43 tardis spamdyke[26727]: [ID 702911 mail.info] > FILTER_AUTH_REQUIRED > Jul 22 18:54:50 tardis spamdyke[26727]: [ID 702911 mail.info] > ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure (bad > username/password, vchkpw uses this to indicate SMTP access is not allowed): > verizon > Jul 22 18:56:01 tardis spamdyke[26727]: [ID 702911 mail.info] > ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The > operation failed due to an I/O error, Unexpected EOF found > Jul 22 18:57:16 tardis spamdyke[26736]: [ID 702911 mail.info] > FILTER_AUTH_REQUIRED > Jul 22 18:57:23 tardis spamdyke[26736]: [ID 702911 mail.info] > ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure (bad > username/password, vchkpw uses this to indicate SMTP access is not allowed): > verizon > Jul 22 18:58:37 tardis spamdyke[26736]: [ID 702911 mail.info] > ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The > operation failed due to an I/O error, Unexpected EOF found > Jul 22 18:59:59 tardis spamdyke[26743]: [ID 702911 mail.info] > FILTER_AUTH_REQUIRED > Jul 22 19:00:10 tardis spamdyke[26743]: [ID 702911 mail.info] > ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure (bad > username/password, vchkpw uses this to indicate SMTP access is not allowed): > verizon > Jul 22 19:01:21 tardis spamdyke[26743]: [ID 702911 mail.info] > ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The > operation failed due to an I/O error, Unexpected EOF found > Jul 22 19:02:32 tardis spamdyke[26876]: [ID 702911 mail.info] > FILTER_AUTH_REQUIRED > Jul 22 19:02:38 tardis spamdyke[26876]: [ID 702911 mail.info] > ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure (bad > username/password, vchkpw uses this to indicate SMTP access is not allowed): > verizon > Jul 22 19:03:50 tardis spamdyke[26876]: [ID 702911 mail.info] > ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The > operation failed due to an I/O error, Unexpected EOF found > \Jul 22 19:05:11 tardis spamdyke[26891]: [ID 702911 mail.info] > FILTER_AUTH_REQUIRED > Jul 22 19:05:16 tardis spamdyke[26891]: [ID 702911 mail.info] > ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure (bad > username/password, vchkpw uses this to indicate SMTP access is not allowed): > verizon > > They seem to have a huge list of account names to try and I've got thousands > of attempts just for today. Unfortunately, without any IP address in the > message I can't have fail2ban automatically block these. > > Gary > > > _______________________________________________ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > http://www.spamdyke.org/mailman/listinfo/spamdyke-users
_______________________________________________ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users