I'm trying to block a few scriptkiddies who try my SMTPserver as an open relay etc. Not they succeed ofcourse, but it is quite annoying in the logging.... I tried the following regex's, but they don't seem to work for me:
ENABLE_RULES = r"""(SMTP|ProFTPD).*"""
"SMTP-InvalidHostname": r"""^[^[]+?postfix\/smtpd\[\d\+]: warning: (?P<host>\d{1,3}\.\d{1,3}\.\{1,3}\.\d{1,3}) address not listed for hostname """,
"SMTP-InvalidIdentification": r"""^[^[]+?postfix\/smtpd\[\d\+]: warning: unknown\[(?P<host>\d{1,3}\.\d{1,3}\.\{1,3}\.\d{1,3})\]: SASL [PLAIN|LOGIN] authentication failed: authentication failure$
"""The loglines are like so:
Sep 13 13:02:42 thor postfix/smtpd[25355]: warning: 66.197.194.229: address not listed for hostname ds1.avahost.net Sep 12 15:59:01 thor postfix/smtpd[7385]: warning: unknown[192.168.25.10]: SASL PLAIN authentication failed: authentication failure Sep 12 15:59:01 thor postfix/smtpd[7385]: warning: unknown[192.168.25.10]: SASL LOGIN authentication failed: authentication failure
While'll at it.. I'm also looking for the proper regex's for:
Sep 25 01:37:31 thor postfix/smtpd[6961]: warning: 212.98.234.178: hostname host-212-98-234-178.borusantelekom.com verification failed: Name or service not known Sep 26 00:17:06 thor postfix/smtpd[3457]: warning: non-SMTP command from 61-224-32-204.dynamic.hinet.net[61.224.32.204]: Subject:84.245.3.95
Thanks!!
Lennard
Travel Travel reports, it is all about food
Montreal: Schwartz's, Le Petit Alep
Albums: Pictures and some notes
ITRANS Song Book Hindi, Urdu, Marathi song lyrics
Online ITRANS Web Interface
BlockHosts block hosts
BlockHosts FAQ
BlockHosts Forum
CD Inserts & Envelopes Web Interface
Nisha Ganatra's Films
Cake: starring Heather Graham
Email: avinash@aczoom.com
Copyright © 1995-2016 Avinash Chopde, avinash@aczoom.com
patterns
"Postfix-InvalidHostname": r"""^[^[]+?postfix/smtpd\[\d+\]: warning: (?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}): address not listed for hostname """, "Postfix-InvalidId": r"""^[^[]+?postfix/smtpd\[\d+\]: warning: unknown\[(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\]: SASL (LOGIN) authentication failed: authentication failure$""", "Postfix-ServiceUnknown": r"""^[^[]+?postfix/smtpd\[\d+\]: warning: (?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}): hostname .* verification failed: Name or service not known$""", "Postfix-NonSMTPCommand": r"""^[^[]+?postfix/smtpd\[\d+\]: warning: non-SMTP command from .*\[(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\]: Subject:""",Note that the second rule could be changed to (PLAIN|LOGIN), but it looks like both lines may be emitted for that condition, in which case, to avoid double counting, it is better to choose a single match.
To enable all these rules, and the older Postfix-550 rule already present, here's the changed ENABLE_RULES line:
ENABLE_RULES = r"""(sshd|.*ftpd|Postfix).*"""
or use the command line option:
--enable-rules="(sshd|.*ftpd|Postfix).*"