Travel Travel reports, it is all about food
Montreal: Schwartz's, Le Petit Alep
Albums: Pictures and some notes
ITRANS Song Book Hindi, Urdu, Marathi song lyrics
Online ITRANS Web Interface
BlockHosts block hosts
BlockHosts FAQ
BlockHosts Forum
CD Inserts & Envelopes Web Interface
Nisha Ganatra's Films
Cake: starring Heather Graham
Email: avinash@aczoom.com
Can you post example log lines?
Do you have examples of the types of log lines printed ?
For example, for pop3d, the following patterns are used - will need to modify them to accept the popa3d lines, based on what you said, the changes are probably quite minor.
From blockhosts.cfg:
Example line: # ipop3d Aug 18 16:27:38 hostname ipop3d[2540]: Login failed user=username auth=username host=badhostname [10.3.32.17] Pattern used: "ipop3d-Fail": r'{LOG_PREFIX{ipop3d}} Login failed .* \[{HOST_IP}]',pop3d
Well this may be a little diffwerent and a bit harded to stop. in /var/log/messages when the DOS attempt is in process I get
popa3d [process number]: Authentication failed for UNKNOW USER
in /var/log/secure Ig get for the same process I get
popa3d [process number] : connect from xx.xx.xx.xxx (xx.xx.xx.xxx) of course the x is the ip.
Sure would be great if I could stop this mess if I don't catch it the thing kills MTA with an overload.
can't catch
Based on the info above, since popa3d has not printed any single log line that says that Login or authentication failed for a specific IP address, there is no way to configure blockhosts for this case.
any way to stop this Apr 30
any way to stop this
Apr 30 21:52:53 esrf dovecot: pop3-login: Disconnected (no auth attempts): rip=196.33.246.83, lip=192.168.0.108
Apr 30 21:54:53 esrf dovecot: pop3-login: Disconnected (no auth attempts): rip=196.33.246.83, lip=192.168.0.108
Apr 30 21:56:55 esrf dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=, method=PLAIN, rip=196.33.246.83, lip=192.168.0.108
Apr 30 21:58:53 esrf dovecot: pop3-login: Disconnected (no auth attempts): rip=196.33.246.83, lip=192.168.0.108
Apr 30 22:00:54 esrf dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=, method=PLAIN, rip=196.33.246.83, lip=192.168.0.108
Apr 30 22:02:51 esrf dovecot: pop3-login: Disconnected (no auth attempts): rip=196.33.246.83, lip=192.168.0.108
Apr 30 22:04:51 esrf dovecot: pop3-login: Disconnected (no auth attempts): rip=196.33.246.83, lip=192.168.0.108
Apr 30 22:06:51 esrf dovecot: pop3-login: Disconnected (no auth attempts): rip=196.33.246.83, lip=192.168.0.108
Apr 30 22:08:51 esrf dovecot: pop3-login: Disconnected (no auth attempts): rip=196.33.246.83, lip=192.168.0.108
Apr 30 22:10:55 esrf dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=, method=PLAIN, rip=196.33.246.83, lip=192.168.0.108
Is logging on?
Maybe dovecot logging level is not turned on?
auth_verbose=yes enables logging all failed authentication attempts. Dovecot doc has more details.
If that is set, maybe it is going to a different log file?
Otherwise, as for the pattern to catch the reported lines if the above does not work, follow instructions in blockhosts.cfg and add this pattern:
"dovecot-Disconnect": r'{LOG_PREFIX{dovecot: pop3-login}} Disconnected \(auth failed,.* rip={HOST_IP},',I am assuming rip=IP is the remote ip, and not lip=IP in the log messages.