Meine /var/log/auth.log ist dank "denyhost" seit Tagen sauber wie ein "Kinderpopo", aber derzeit (seit 2 Tagen) beobachte ich vermehrt "Angriffe" auf: postfix/smtpd und dovecot.
denyhosts liest "nur" die Datei "/var/log/auth.log"
Die "Angriffe" sehen so aus:
/var/log/mail.log
ZitatAlles anzeigen
postfix/smtpd[1487]: connect from unknown[81.196.57.81]
postfix/smtpd[1398]: disconnect from unknown[81.196.57.81]
postfix/smtpd[1337]: disconnect from unknown[81.196.57.81]
postfix/smtpd[1488]: connect from unknown[81.196.57.81]
postfix/smtpd[1398]: connect from unknown[81.196.57.81]
postfix/smtpd[1337]: connect from unknown[81.196.57.81]
postfix/smtpd[1491]: connect from unknown[81.196.57.81]
postfix/smtpd[1404]: warning: unknown[81.196.57.81]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
postfix/smtpd[1406]: warning: unknown[81.196.57.81]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
postfix/smtpd[1405]: warning: unknown[81.196.57.81]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
postfix/smtpd[1414]: warning: unknown[81.196.57.81]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
postfix/smtpd[1425]: warning: unknown[81.196.57.81]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
postfix/smtpd[2901]: disconnect from unknown[81.196.57.81]
postfix/smtpd[2035]: disconnect from unknown[81.196.57.81]
postfix/anvil[1340]: statistics: max connection rate 162/60s for (smtp:81.196.57.81) at Jan 19 17:52:11
postfix/anvil[1340]: statistics: max connection count 36 for (smtp:81.196.57.81) at Jan 19 17:51:51
postfix/anvil[1340]: statistics: max cache size 1 at Jan 19 17:51:11
oder
dovecot: pop3-login: Aborted login (1 authentication attempts): user=<francis>, method=PLAIN, rip=206.10.155.111, lip=88.198.XXX.YYY
dovecot: pop3-login: Aborted login (1 authentication attempts): user=<angel>, method=PLAIN, rip=206.10.155.111, lip=88.198.XXX.YYY
dovecot: pop3-login: Aborted login (1 authentication attempts): user=<denver>, method=PLAIN, rip=206.10.155.111, lip=88.198.XXX.YYY
dovecot: pop3-login: Aborted login (1 authentication attempts): user=<danny>, method=PLAIN, rip=206.10.155.111, lip=88.198.XXX.YYY
dovecot: pop3-login: Aborted login (1 authentication attempts): user=<harold>, method=PLAIN, rip=206.10.155.111, lip=88.198.XXX.YYY
dovecot: pop3-login: Aborted login (1 authentication attempts): user=<august>, method=PLAIN, rip=206.10.155.111, lip=88.198.XXX.YYY
dovecot: pop3-login: Aborted login (1 authentication attempts): user=<angel>, method=PLAIN, rip=206.10.155.111, lip=88.198.XXX.YYY
dovecot: pop3-login: Aborted login (1 authentication attempts): user=<gerald>, method=PLAIN, rip=206.10.155.111, lip=88.198.XXX.YYY
und so sieht die /var/log/syslog aus:
ZitatAlles anzeigen
postfix/smtpd[1398]: connect from unknown[81.196.57.81]
postfix/smtpd[2029]: connect from unknown[81.196.57.81]
postfix/smtpd[2123]: connect from unknown[81.196.57.81]
postfix/smtpd[1475]: connect from unknown[81.196.57.81]
postfix/smtpd[2119]: connect from unknown[81.196.57.81]
postfix/smtpd[2121]: connect from unknown[81.196.57.81]
postfix/smtpd[2030]: connect from unknown[81.196.57.81]
postfix/smtpd[1337]: warning: unknown[81.196.57.81]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
postfix/smtpd[2047]: warning: unknown[81.196.57.81]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
postfix/smtpd[1491]: warning: unknown[81.196.57.81]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
postfix/smtpd[1473]: warning: unknown[81.196.57.81]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
postfix/smtpd[2022]: connect from unknown[81.196.57.81]
postfix/smtpd[1474]: warning: unknown[81.196.57.81]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
postfix/smtpd[1488]: warning: unknown[81.196.57.81]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
postfix/smtpd[1406]: connect from unknown[81.196.57.81]
postfix/smtpd[2901]: connect from unknown[81.196.57.81]
postfix/smtpd[2906]: connect from unknown[81.196.57.81]
postfix/smtpd[2908]: connect from unknown[81.196.57.81]
postfix/smtpd[1488]: disconnect from unknown[81.196.57.81]
postfix/smtpd[1491]: disconnect from unknown[81.196.57.81]
postfix/smtpd[1337]: disconnect from unknown[81.196.57.81]
postfix/smtpd[1474]: disconnect from unknown[81.196.57.81]
postfix/smtpd[1473]: disconnect from unknown[81.196.57.81]
postfix/smtpd[2047]: disconnect from unknown[81.196.57.81]
Bekomme ich den denyhosts irgenwie dazu überredet das er auch die "/var/log/syslog" und/oder die"/var/log/mail.log" auswertet? Per googlen finde ich dazu nichts, außer das er wohl nur die auth.log lesen kann.
Sprich ich müsste dann zusätzlich noch fail2ban installieren zum auswerten und blocken von "/var/log/syslog" und/oder "/var/log/mail.log"?
