From owner-freebsd-questions@FreeBSD.ORG Tue Jun 4 22:12:52 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 1EBCEE44 for ; Tue, 4 Jun 2013 22:12:52 +0000 (UTC) (envelope-from tundra@tundraware.com) Received: from ozzie.tundraware.com (ozzie.tundraware.com [75.145.138.73]) by mx1.freebsd.org (Postfix) with ESMTP id DC0141EA5 for ; Tue, 4 Jun 2013 22:12:51 +0000 (UTC) Received: from [192.168.0.2] (viper.tundraware.com [192.168.0.2]) (authenticated bits=0) by ozzie.tundraware.com (8.14.7/8.14.7) with ESMTP id r54MCcUI044199 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Tue, 4 Jun 2013 17:12:38 -0500 (CDT) (envelope-from tundra@tundraware.com) Message-ID: <51AE6652.7050707@tundraware.com> Date: Tue, 04 Jun 2013 17:12:34 -0500 From: Tim Daneliuk User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130329 Thunderbird/17.0.5 MIME-Version: 1.0 To: Doug Hardie Subject: Re: Can sasl/sendmail Report IP Of Failed Access? References: <51AE0C04.2050507@tundraware.com> <10B9A72C-1BEA-498B-8BEA-88641656E434@lafn.org> In-Reply-To: <10B9A72C-1BEA-498B-8BEA-88641656E434@lafn.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.4.3 (ozzie.tundraware.com [192.168.0.1]); Tue, 04 Jun 2013 17:12:38 -0500 (CDT) X-TundraWare-MailScanner-Information: Please contact the ISP for more information X-TundraWare-MailScanner-ID: r54MCcUI044199 X-TundraWare-MailScanner: Found to be clean X-TundraWare-MailScanner-From: tundra@tundraware.com X-Spam-Status: No Cc: FreeBSD Mailing List X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Jun 2013 22:12:52 -0000 On 06/04/2013 04:51 PM, Doug Hardie wrote: > > On 4 June 2013, at 08:47, Tim Daneliuk wrote: > >> I am seeing login dictionary attacks on a FreeBSD mail server being >> reported. Is there a way to determine the IPs that are doing this >> so they can be blocked at the firewall? auth.log only >> notes the attempted user name, not the IP of origin. >> -- >> > > I wrote some code to find the appropriate maillog entries which do include the IP addresses. It automagically adds the IP addresses to the pf blackhole table if certain criteria is met. The criteria is changeable. If you would like a copy, let me know. > Yes, I'd love a look at that, thanks. -- ---------------------------------------------------------------------------- Tim Daneliuk tundra@tundraware.com PGP Key: http://www.tundraware.com/PGP/