Date: Tue, 4 Jun 2013 16:54:44 -0600 (MDT) From: Warren Block <wblock@wonkity.com> To: Tim Daneliuk <tundra@tundraware.com> Cc: FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: Can sasl/sendmail Report IP Of Failed Access? Message-ID: <alpine.BSF.2.00.1306041653320.47050@wonkity.com> In-Reply-To: <51AE6652.7050707@tundraware.com> References: <51AE0C04.2050507@tundraware.com> <10B9A72C-1BEA-498B-8BEA-88641656E434@lafn.org> <51AE6652.7050707@tundraware.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 4 Jun 2013, Tim Daneliuk wrote: > On 06/04/2013 04:51 PM, Doug Hardie wrote: >> >> On 4 June 2013, at 08:47, Tim Daneliuk <tundra@tundraware.com> wrote: >> >>> I am seeing login dictionary attacks on a FreeBSD mail server being >>> reported. Is there a way to determine the IPs that are doing this >>> so they can be blocked at the firewall? auth.log only >>> notes the attempted user name, not the IP of origin. >>> -- >>> >> >> I wrote some code to find the appropriate maillog entries which do include >> the IP addresses. It automagically adds the IP addresses to the pf >> blackhole table if certain criteria is met. The criteria is changeable. >> If you would like a copy, let me know. >> > > Yes, I'd love a look at that, thanks. sshguard is supposed to be capable of analyzing log files beyond just ssh.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.00.1306041653320.47050>