Date: Tue, 4 Jun 2013 18:18:14 -0400 (EDT) From: Chris Hill <chris@monochrome.org> To: Doug Hardie <bc979@lafn.org> Cc: tundra@tundraware.com, FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: Can sasl/sendmail Report IP Of Failed Access? Message-ID: <alpine.BSF.2.00.1306041817430.85563@tripel.monochrome.org> In-Reply-To: <10B9A72C-1BEA-498B-8BEA-88641656E434@lafn.org> References: <51AE0C04.2050507@tundraware.com> <10B9A72C-1BEA-498B-8BEA-88641656E434@lafn.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 4 Jun 2013, Doug Hardie wrote: > On 4 June 2013, at 08:47, Tim Daneliuk <tundra@tundraware.com> wrote: > >> I am seeing login dictionary attacks on a FreeBSD mail server being >> reported. Is there a way to determine the IPs that are doing this >> so they can be blocked at the firewall? auth.log only >> notes the attempted user name, not the IP of origin. >> -- >> > > I wrote some code to find the appropriate maillog entries which do > include the IP addresses. It automagically adds the IP addresses to > the pf blackhole table if certain criteria is met. The criteria is > changeable. If you would like a copy, let me know. That sounds incredibly useful. Can you post it somewhere? -- Chris Hill chris@monochrome.org ** [ Busy Expunging </> ]
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.00.1306041817430.85563>