Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 4 Jun 2013 18:18:14 -0400 (EDT)
From:      Chris Hill <chris@monochrome.org>
To:        Doug Hardie <bc979@lafn.org>
Cc:        tundra@tundraware.com, FreeBSD Mailing List <freebsd-questions@freebsd.org>
Subject:   Re: Can sasl/sendmail Report IP Of Failed Access?
Message-ID:  <alpine.BSF.2.00.1306041817430.85563@tripel.monochrome.org>
In-Reply-To: <10B9A72C-1BEA-498B-8BEA-88641656E434@lafn.org>
References:  <51AE0C04.2050507@tundraware.com> <10B9A72C-1BEA-498B-8BEA-88641656E434@lafn.org>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Tue, 4 Jun 2013, Doug Hardie wrote:

> On 4 June 2013, at 08:47, Tim Daneliuk <tundra@tundraware.com> wrote:
>
>> I am seeing login dictionary attacks on a FreeBSD mail server being
>> reported.  Is there a way to determine the IPs that are doing this
>> so they can be blocked at the firewall?   auth.log only
>> notes the attempted user name, not the IP of origin.
>> --
>>
>
> I wrote some code to find the appropriate maillog entries which do 
> include the IP addresses.  It automagically adds the IP addresses to 
> the pf blackhole table if certain criteria is met.  The criteria is 
> changeable.  If you would like a copy, let me know.

That sounds incredibly useful. Can you post it somewhere?


-- 
Chris Hill               chris@monochrome.org
**                     [ Busy Expunging </> ]



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.00.1306041817430.85563>