From owner-freebsd-questions@FreeBSD.ORG Tue Jun 4 21:51:22 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 317534FF for ; Tue, 4 Jun 2013 21:51:22 +0000 (UTC) (envelope-from bc979@lafn.org) Received: from zoom.lafn.org (zoom.lafn.org [108.92.93.123]) by mx1.freebsd.org (Postfix) with ESMTP id 0E35C1DD6 for ; Tue, 4 Jun 2013 21:51:21 +0000 (UTC) Received: from mbook.westell.com ([50.123.213.115]) (authenticated bits=0) by zoom.lafn.org (8.14.3/8.14.2) with ESMTP id r54LpHLX077297 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Tue, 4 Jun 2013 14:51:19 -0700 (PDT) (envelope-from bc979@lafn.org) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\)) Subject: Re: Can sasl/sendmail Report IP Of Failed Access? From: Doug Hardie In-Reply-To: <51AE0C04.2050507@tundraware.com> Date: Tue, 4 Jun 2013 14:51:08 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: <10B9A72C-1BEA-498B-8BEA-88641656E434@lafn.org> References: <51AE0C04.2050507@tundraware.com> To: tundra@tundraware.com X-Mailer: Apple Mail (2.1503) X-Virus-Scanned: clamav-milter 0.97 at zoom.lafn.org X-Virus-Status: Clean Cc: FreeBSD Mailing List X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Jun 2013 21:51:22 -0000 On 4 June 2013, at 08:47, Tim Daneliuk wrote: > I am seeing login dictionary attacks on a FreeBSD mail server being > reported. Is there a way to determine the IPs that are doing this > so they can be blocked at the firewall? auth.log only > notes the attempted user name, not the IP of origin. > --=20 >=20 I wrote some code to find the appropriate maillog entries which do = include the IP addresses. It automagically adds the IP addresses to the = pf blackhole table if certain criteria is met. The criteria is = changeable. If you would like a copy, let me know. =20=