From owner-freebsd-questions@FreeBSD.ORG  Tue Jun  4 22:54:46 2013
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115])
 by hub.freebsd.org (Postfix) with ESMTP id 2C165D47
 for <freebsd-questions@freebsd.org>; Tue,  4 Jun 2013 22:54:46 +0000 (UTC)
 (envelope-from wblock@wonkity.com)
Received: from wonkity.com (wonkity.com [67.158.26.137])
 by mx1.freebsd.org (Postfix) with ESMTP id E498910E3
 for <freebsd-questions@freebsd.org>; Tue,  4 Jun 2013 22:54:45 +0000 (UTC)
Received: from wonkity.com (localhost [127.0.0.1])
 by wonkity.com (8.14.7/8.14.7) with ESMTP id r54Msjqd048671;
 Tue, 4 Jun 2013 16:54:45 -0600 (MDT)
 (envelope-from wblock@wonkity.com)
Received: from localhost (wblock@localhost)
 by wonkity.com (8.14.7/8.14.7/Submit) with ESMTP id r54MsiQk048668;
 Tue, 4 Jun 2013 16:54:45 -0600 (MDT)
 (envelope-from wblock@wonkity.com)
Date: Tue, 4 Jun 2013 16:54:44 -0600 (MDT)
From: Warren Block <wblock@wonkity.com>
To: Tim Daneliuk <tundra@tundraware.com>
Subject: Re: Can sasl/sendmail Report IP Of Failed Access?
In-Reply-To: <51AE6652.7050707@tundraware.com>
Message-ID: <alpine.BSF.2.00.1306041653320.47050@wonkity.com>
References: <51AE0C04.2050507@tundraware.com>
 <10B9A72C-1BEA-498B-8BEA-88641656E434@lafn.org>
 <51AE6652.7050707@tundraware.com>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3
 (wonkity.com [127.0.0.1]); Tue, 04 Jun 2013 16:54:45 -0600 (MDT)
Cc: FreeBSD Mailing List <freebsd-questions@freebsd.org>
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Jun 2013 22:54:46 -0000

On Tue, 4 Jun 2013, Tim Daneliuk wrote:

> On 06/04/2013 04:51 PM, Doug Hardie wrote:
>> 
>> On 4 June 2013, at 08:47, Tim Daneliuk <tundra@tundraware.com> wrote:
>> 
>>> I am seeing login dictionary attacks on a FreeBSD mail server being
>>> reported.  Is there a way to determine the IPs that are doing this
>>> so they can be blocked at the firewall?   auth.log only
>>> notes the attempted user name, not the IP of origin.
>>> --
>>> 
>> 
>> I wrote some code to find the appropriate maillog entries which do include 
>> the IP addresses.  It automagically adds the IP addresses to the pf 
>> blackhole table if certain criteria is met.  The criteria is changeable. 
>> If you would like a copy, let me know.
>> 
>
> Yes, I'd love a look at that, thanks.

sshguard is supposed to be capable of analyzing log files beyond just 
ssh.