similar to: under another kind of attack

> On 26 Jul 2017, at 7:57 pm, Olaf Hopp <Olaf.Hopp at kit.edu> wrote: > > Dear collegues, > > many thanks for your valuable input. > > Since we are an university GEO-IP blocking is not an option for us. > Somestimes I think it should ;-) > > My "mistake" was that I had just *one* fail2ban filter for both cases: > "wrong password" and

Dear collegues, many thanks for your valuable input. Since we are an university GEO-IP blocking is not an option for us. Somestimes I think it should ;-) My "mistake" was that I had just *one* fail2ban filter for both cases: "wrong password" and "unknown user". Now I have two distinct jails: The first one just for "wrong password" and here the findtime,

Hi folks, "somehow" similar to the thread "under some kind oof attack" started by "MJ": I have dovecot shielded by fail2ban which works fine. But since a few days I see many many IPs per day knocking on my doors with wron password and/or users. But the rate at which they are knocking is very very low. So fail2ban will never catch them. For example one IP: Jul 25

Hi to all, @Olaf Hopp I've this filter enabled for fail2ban, my question is: could my filters overlap or interfere with those suggested by you? this is my filter: Contents of /etc/fail2ban/jail.conf: [postfix] # Ban for 10 minutes if it fails 6 times within 10 minutes enabled = true port = smtp,ssmtp filter = postfix logpath = /var/log/mail.log maxretry = 6 bantime = 600

Hello, fail2ban does not ban offending IP. NOTICE[29784] chan_sip.c: Registration from '"user3"<sip:1005 at asterisk-ip:5060>' failed for 'offending-IP:53417' - Wrong password NOTICE[29784] chan_sip.c: Registration from '"user3"<sip:1005 at asterisk-ip:5060>' failed for ?offending-IP:53911' - Wrong password systemctl status

If this is a small site, I recommend you download the free version of SecAst (www.telium.ca <http://www.telium.ca> ) and replace fail2ban. SecAst does NOT use the log file, or regexes, to match etc.instead it talks to Asterisk through the AMI to extract security information. Messing with regexes is a losing battle, and the lag in reading logs can allow an attacker 100+ registration

On Monday 29 April 2019 02:21:05 Gordon Messmer wrote: > That's one approach.? I believe that you could modify fewer files by > setting "port = 0:65535" in your definition in "jail.local" and not > install firewallcmd-ipset.local. I have just tried this, and re-started fail2ban. It does not seem to have worked. I have looked at /var/log/exim/main.log and found

On Mon, December 18, 2017 3:06 am, Alex JOST wrote: > Did you enable the dovecot service in fail2ban? By default all jails are > disabled. > > /etc/fail2ban/jail.conf: > [dovecot] > enabled = true Alex, thanks no, not in jail.conf, I've put it in the (1) /etc/fail2ban/jail.local I've also added postfix, that seems to work: I've made test failed dovecot and

For dovecot 2.1 as per wiki2, is this still valid? noticed a problem before and saw it does seem to be triggering, I use: maxretry = 6 findtime = 600 bantime = 3600 and there was like, 2400 hits in 4 minutes, it is pointing to the correct log file, but I am no expert with fail2ban, so not sure if the log format of today is compatible with the wiki2 entry filter.d/dovecot.conf [Definition]

On Friday 19 April 2019 16:15:32 Kenneth Porter wrote: > On 4/19/2019 5:30 AM, Gary Stainburn wrote: > > I've followed one of the pages on line specifically for installing fail2ban on > > Centos 7 and all looks fine. > > Which page? It would help to see what they advised. > On Friday 19 April 2019 16:15:32 Kenneth Porter wrote: > On 4/19/2019 5:30 AM, Gary Stainburn

Hi! I have a server running CentOS 7.7 (1908) with all current patches installed. I think this server should be a quite standard installation with no specialities On this server I have fail2ban with an apache and openvpn configuration. I'm using firewalld to manage the firewall rules. Fail2an is configured to use firewalld: [root at server ~]# ll /etc/fail2ban/jail.d/ insgesamt 12

Olaf Hopp <Olaf.Hopp at kit.edu> writes: > I have dovecot shielded by fail2ban which works fine. But since a few > days I see many many IPs per day knocking on my doors with wron > password and/or users. But the rate at which they are knocking is very > very low. So fail2ban will never catch them. Slow roll distributed attacks. Really hard to stop. > And I see many many

> From: Olaf Hopp <Olaf.Hopp at kit.edu> > Davide, > yours is all postfix and thus has got no overlap with dovecot. > So no interference. > Olaf Yes, I know, but I preferred not to give anything for granted ;-) Many Thanks Olaf!

OK, I found a solution: trusted_users = exim:dovecot in my exim.conf fixed it. Anyway this is an important change of behavour between 2.2 und 2.3 In 2.2 the "dovecot" under exims "trusted_users" was not necessary. Olaf On 04/20/2018 02:53 PM, Olaf Hopp wrote: > On 04/20/2018 02:01 PM, Olaf Hopp wrote: >> Hi (Stephan?), >> is it a new feature of dovecot 2.3

<!doctype html> <html> <head> <meta charset="UTF-8"> </head> <body> <div> Can you provide doveconf -n and try turning on mail_debug=yes on both ends and try doveadm -Dv expunge .... </div> <div> <br> </div> <div> Aki </div> <blockquote type="cite"> <div>

On 04/23/2018 03:22 PM, Stephan Bosch wrote: > > > Op 20-4-2018 om 14:01 schreef Olaf Hopp: >> Hi (Stephan?), >> is it a new feature of dovecot 2.3 /pigeonhole 0.5 that a sieve "redirect" changes the envelope sender of >> a redirected mail or simply a bug ? >> >> A sends mail to B, B redirects to C >> C sees B (not A!) as envelope sender.

On 05/09/2018 11:10 AM, Stephan Bosch wrote: > > > Op 09/05/2018 om 10:17 schreef Ralf Hildebrandt: >> * Stephan Bosch <stephan at rename-it.nl>: >>> >>> Op 08/05/2018 om 10:34 schreef Olaf Hopp: >>>> Hi, >>>> >>>> I had an email with 58 recipients in the "To" and 13 in the "CC" >>>>

From: bounces at isc.sans.edu To: sbradcpa at pacbell.net <sbradcpa at pacbell.net> Novel method for slowing down Locky on Samba server using fail2ban https://isc.sans.edu/diary.html?n&storyid=20805 http://www.heise.de/security/artikel/Erpressungs-Trojaner-wie-Locky-aussperren-3120956.html Google Translate version of above: If you teach the Samba server to monitor and write Rename

Hello everybody, since now I did no replication and spam is delivered into users folder "spambox" Every night there is a cronjob which deletes spam older than 30 days via something like "find .... -ctime +30 -delete" Now I'm going to set up replication (two way) and I thought that doing "rm" is not a good idea. So I modified the job to something like

On 06/05/2017 11:05 AM, Angel L. Mateo wrote: > I have updated my dovecot proxy servers from 2.2.28 to 2.2.30. Since the upgrade I'm having the error: > > Jun 5 10:54:51 musio12 dovecot: auth: Fatal: master: service(auth): child 63632 killed with signal 11 (core not dumped) > > Me too, with # 2.2.30.1 (eebd877): /opt/dovecot/etc/dovecot/dovecot.conf # Pigeonhole