Can someone tell me how I can get the meaning of these variables
(ehlo..commands) in the postfix log? i.e: 1) disconnect from xxxx.xxxx.xx [99.99.999.99] ehlo= 2 starttls= 1 mail=1 rcpt=1 data=1 quit=1 commands=7 2) disconnect from xxxx.xxxx.xx [99.99.999.99] ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 rset=1 quit=1 commands=6/8 Thank you very much!! -- Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html |
On Fri, 9 Aug 2019 03:32:20 -0700 (MST)
manu19 <[hidden email]> wrote: > Can someone tell me how I can get the meaning of these variables > (ehlo..commands) in the postfix log? > i.e: > 1) disconnect from xxxx.xxxx.xx [99.99.999.99] ehlo= 2 starttls= 1 > mail=1 rcpt=1 data=1 quit=1 commands=7 > 2) disconnect from xxxx.xxxx.xx [99.99.999.99] ehlo=2 starttls=1 > mail=1 rcpt=0/1 data=0/1 rset=1 quit=1 commands=6/8 > > Thank you very much!! > > > > -- > Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html https://www.samlogic.net/articles/smtp-commands-reference.htm -- ----------------------------------------------------------- Enrico Morelli System Administrator | Programmer | Web Developer CERM - Polo Scientifico via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY ------------------------------------------------------------ |
In reply to this post by manu19
manu19:
> Can someone tell me how I can get the meaning of these variables > (ehlo..commands) in the postfix log? > i.e: > 1) disconnect from xxxx.xxxx.xx [99.99.999.99] ehlo= 2 starttls= 1 mail=1 > rcpt=1 data=1 quit=1 commands=7 > 2) disconnect from xxxx.xxxx.xx [99.99.999.99] ehlo=2 starttls=1 mail=1 > rcpt=0/1 data=0/1 rset=1 quit=1 commands=6/8 foo=x/y means that the client sent the 'foo' command 'y' times, and that Postfix accepted 'x' of those conmmands. When 'x' and 'y' are the same, Postfix shows only one. These statistics make problems easy to diagnose. The command $ grep auth=./ /var/log/maillog will show spambots attempts to log in. Here is a typical result: Aug 1 11:24:35 spike postfix/smtpd[26284]: disconnect from unknown[122.246.158.54] ehlo=1 auth=0/1 commands=1/2 Wietse |
Thanks for the explanation, it has been very instructive.
Regards. -- Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html |
I have a fail2ban ban - quite active - based on this: failregex = ^%(__prefix_line)sdisconnect from \S+\[<HOST>\] (ehlo|helo)=\d+ .*auth=0/\d
(I whitelist a few ips that are our own, or known to run auth tests).
|
On 8/10/19 2:17 AM, Dominic Raferd wrote:
> I have a fail2ban ban - quite active - based on this: > > failregex = ^%(__prefix_line)sdisconnect from \S+\[<HOST>\] > (ehlo|helo)=\d+ .*auth=0/\d > > See also http://www.postfix.org/announcements/postfix-3.0.0.html. > (I whitelist a few ips that are our own, or known to run auth tests). Since you mention fail2ban, I've recently installed fail2ban on my mail server with the intention of setting it up to detect brute-force login attempts on the SMTP port and *remotely tell my firewall* to block the offending IPs. But studying the fail2ban documentation I've so far found, I cannot for the life of me figure out how to do this, though I am assured by others that it is perfectly possible and should be straightforwasrd to do. Can anyone by chance point me to any documentation that explains how to do this? -- Phil Stracchino Babylon Communications [hidden email] [hidden email] Landline: +1.603.293.8485 Mobile: +1.603.998.6958 |
On Fri, 6 Sep 2019 at 16:31, Phil Stracchino <[hidden email]> wrote: On 8/10/19 2:17 AM, Dominic Raferd wrote: For the general approach, see (for instance) the custom action section at https://darrynvt.wordpress.com/tag/custom-fail2ban-actions/ |
In reply to this post by Phil Stracchino
On 6 Sep 2019, at 09:30, Phil Stracchino <[hidden email]> wrote:
> Can anyone by chance point me to any documentation that explains how to do this? Not off hand, but what you are looking for on google is: fail2ban "action.d” (the quotes will force google to return results with action.d) In fact, if you look in the action.d/ folder there should be a couple of files there that will likely get you started. (I’d check, but I’m using sshguard now). -- Let the Wookiee win. |
On 9/6/19 2:03 PM, @lbutlr wrote:
> On 6 Sep 2019, at 09:30, Phil Stracchino <[hidden email]> wrote: >> Can anyone by chance point me to any documentation that explains how to do this? > > Not off hand, but what you are looking for on google is: > > fail2ban "action.d” > > (the quotes will force google to return results with action.d) > > In fact, if you look in the action.d/ folder there should be a couple of files there that will likely get you started. (I’d check, but I’m using sshguard now). Yeah, I've already had a browse through that, but it appears to me that all of the prewritten actions assume you're talking to a *local* firewall, and I don't know enough about fail2ban yet to feel confident modifying it without something to work from. I was *about to say* that every single document I've so far found seems to assume a local firewall, but I just now stumbled across one with a remote-firewall example that I think I can work with. -- Phil Stracchino Babylon Communications [hidden email] [hidden email] Landline: +1.603.293.8485 Mobile: +1.603.998.6958 |
On 06/09/2019 20.25, Phil Stracchino wrote:
> On 9/6/19 2:03 PM, @lbutlr wrote: > > On 6 Sep 2019, at 09:30, Phil Stracchino <[hidden email]> wrote: > >> Can anyone by chance point me to any documentation that explains how to do this? > > > > Not off hand, but what you are looking for on google is: > > > > fail2ban "action.d” > > > > (the quotes will force google to return results with action.d) > > > > In fact, if you look in the action.d/ folder there should be a couple of files there that will likely get you started. (I’d check, but I’m using sshguard now). > > > Yeah, I've already had a browse through that, but it appears to me that > all of the prewritten actions assume you're talking to a *local* > firewall, and I don't know enough about fail2ban yet to feel confident > modifying it without something to work from. > > I was *about to say* that every single document I've so far found seems > to assume a local firewall, but I just now stumbled across one with a > remote-firewall example that I think I can work with. I use a custom script (/usr/local/sbin/fail2ban_action.sh) to block a given IP, from which I call nft to add the IP to a set, by calling "nft $1 element inet filter fail2ban { $2 }" (where $1 is add or delete and $2 is the IP). If you want that action to happen on a remote system you could just prepend "ssh <firewall>" to the command (assuming that your local root can login as root to the firewall system without user interaction..) For reference, here is my /etc/fail2ban/action.d/local_block.conf: [Definition] actionban = /usr/local/sbin/fail2ban_action.sh add <ip> actionunban = /usr/local/sbin/fail2ban_action.sh delete <ip> actioncheck = actionstart = actionstop = [Init] where in /etc/fail2ban/jail.local I have .. banaction = local_block .. Hope that helps! |
Free forum by Nabble | Edit this page |