Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 04 Jun 2013 17:12:34 -0500
From:      Tim Daneliuk <tundra@tundraware.com>
To:        Doug Hardie <bc979@lafn.org>
Cc:        FreeBSD Mailing List <freebsd-questions@freebsd.org>
Subject:   Re: Can sasl/sendmail Report IP Of Failed Access?
Message-ID:  <51AE6652.7050707@tundraware.com>
In-Reply-To: <10B9A72C-1BEA-498B-8BEA-88641656E434@lafn.org>
References:  <51AE0C04.2050507@tundraware.com> <10B9A72C-1BEA-498B-8BEA-88641656E434@lafn.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On 06/04/2013 04:51 PM, Doug Hardie wrote:
>
> On 4 June 2013, at 08:47, Tim Daneliuk <tundra@tundraware.com> wrote:
>
>> I am seeing login dictionary attacks on a FreeBSD mail server being
>> reported.  Is there a way to determine the IPs that are doing this
>> so they can be blocked at the firewall?   auth.log only
>> notes the attempted user name, not the IP of origin.
>> --
>>
>
> I wrote some code to find the appropriate maillog entries which do include the IP addresses.  It automagically adds the IP addresses to the pf blackhole table if certain criteria is met.  The criteria is changeable.  If you would like a copy, let me know.
>

Yes, I'd love a look at that, thanks.

-- 
----------------------------------------------------------------------------
Tim Daneliuk     tundra@tundraware.com
PGP Key:         http://www.tundraware.com/PGP/




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?51AE6652.7050707>