From owner-freebsd-questions@FreeBSD.ORG Tue Jun 4 22:18:21 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id BE7C33AB for ; Tue, 4 Jun 2013 22:18:21 +0000 (UTC) (envelope-from chris@monochrome.org) Received: from mail.monochrome.org (b4.ebbed1.client.atlantech.net [209.190.235.180]) by mx1.freebsd.org (Postfix) with ESMTP id 7FBA11F11 for ; Tue, 4 Jun 2013 22:18:21 +0000 (UTC) Received: from [192.168.1.11] ([192.168.1.11]) by mail.monochrome.org (8.14.3/8.14.3) with ESMTP id r54MIEDF029121; Tue, 4 Jun 2013 18:18:14 -0400 (EDT) (envelope-from chris@monochrome.org) Date: Tue, 4 Jun 2013 18:18:14 -0400 (EDT) From: Chris Hill To: Doug Hardie Subject: Re: Can sasl/sendmail Report IP Of Failed Access? In-Reply-To: <10B9A72C-1BEA-498B-8BEA-88641656E434@lafn.org> Message-ID: References: <51AE0C04.2050507@tundraware.com> <10B9A72C-1BEA-498B-8BEA-88641656E434@lafn.org> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: tundra@tundraware.com, FreeBSD Mailing List X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Jun 2013 22:18:21 -0000 On Tue, 4 Jun 2013, Doug Hardie wrote: > On 4 June 2013, at 08:47, Tim Daneliuk wrote: > >> I am seeing login dictionary attacks on a FreeBSD mail server being >> reported. Is there a way to determine the IPs that are doing this >> so they can be blocked at the firewall? auth.log only >> notes the attempted user name, not the IP of origin. >> -- >> > > I wrote some code to find the appropriate maillog entries which do > include the IP addresses. It automagically adds the IP addresses to > the pf blackhole table if certain criteria is met. The criteria is > changeable. If you would like a copy, let me know. That sounds incredibly useful. Can you post it somewhere? -- Chris Hill chris@monochrome.org ** [ Busy Expunging ]