I'm trying to block a few scriptkiddies who try my SMTPserver as an open relay etc. Not they succeed ofcourse, but it is quite annoying in the logging.... I tried the following regex's, but they don't seem to work for me:
ENABLE_RULES = r"""(SMTP|ProFTPD).*"""
"SMTP-InvalidHostname": r"""^[^[]+?postfix\/smtpd\[\d\+]: warning: (?P<host>\d{1,3}\.\d{1,3}\.\{1,3}\.\d{1,3}) address not listed for hostname """,
"SMTP-InvalidIdentification": r"""^[^[]+?postfix\/smtpd\[\d\+]: warning: unknown\[(?P<host>\d{1,3}\.\d{1,3}\.\{1,3}\.\d{1,3})\]: SASL [PLAIN|LOGIN] authentication failed: authentication failure$
"""
The loglines are like so:
Sep 13 13:02:42 thor postfix/smtpd[25355]: warning: 66.197.194.229: address not listed for hostname ds1.avahost.net
Sep 12 15:59:01 thor postfix/smtpd[7385]: warning: unknown[192.168.25.10]: SASL PLAIN authentication failed: authentication failure
Sep 12 15:59:01 thor postfix/smtpd[7385]: warning: unknown[192.168.25.10]: SASL LOGIN authentication failed: authentication failure
While'll at it.. I'm also looking for the proper regex's for:
Sep 25 01:37:31 thor postfix/smtpd[6961]: warning: 212.98.234.178: hostname host-212-98-234-178.borusantelekom.com verification failed: Name or service not known
Sep 26 00:17:06 thor postfix/smtpd[3457]: warning: non-SMTP command from 61-224-32-204.dynamic.hinet.net[61.224.32.204]: Subject:84.245.3.95
Thanks!!
Lennard
patterns
Note that the second rule could be changed to (PLAIN|LOGIN), but it looks like both lines may be emitted for that condition, in which case, to avoid double counting, it is better to choose a single match.
To enable all these rules, and the older Postfix-550 rule already present, here's the changed ENABLE_RULES line:
ENABLE_RULES = r"""(sshd|.*ftpd|Postfix).*"""
or use the command line option:
--enable-rules="(sshd|.*ftpd|Postfix).*"