Hi,
I have some attacks from different IP Addresses like this:
Should the following fail2ban plesk postfix-sasl filter not block this? If I look on the regex it should match, also the fail2ban-regex shows the correct matches? But I had about 4000 attempts in a short time and nothing was blocked? Could someone explain me what I am doing wrong?
I have some attacks from different IP Addresses like this:
Code:
postfix/smtpd[23192]: warning: ns502589.ip-192-99-8.net[192.99.8.171]: SASL LOGIN authentication failed: authentication failure
postfix/smtpd[23192]: lost connection after AUTH from ns502589.ip-192-99-8.net[192.99.8.171]
postfix/smtpd[23192]: disconnect from ns502589.ip-192-99-8.net[192.99.8.171]
Should the following fail2ban plesk postfix-sasl filter not block this? If I look on the regex it should match, also the fail2ban-regex shows the correct matches? But I had about 4000 attempts in a short time and nothing was blocked? Could someone explain me what I am doing wrong?
Code:
_daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds]
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]*={0,2})?\s*$
ignoreregex = authentication failed: Connection lost to authentication server$
Last edited: