Am trying to write a fail2ban regex that catches anyone who tries the user-id "administrador". For example, this log entry:
Jan 2 09:55:01 mail2 dovecot: pop3-login: Disconnected: user=<administrador>, method=PLAIN, rip=::ffff:201.130.1.218
Here's the regex I have so far:
failregex = (?: pop3-login|imap-login): .*(?:Disconnected: user=\<administrador\>).*rip=(?P<host>\S*),.*
It doesn't catch the log entry above because the syntax is wrong. Can anyone help?
Using fail2ban, I want to ban these spammers who are sending to a spamtrap address:
Oct 27 09:04:22 si68 postfix/smtpd[3240]: NOQUEUE: reject: RCPT from unknown[117.197.114.222]: 550 5.7.1 <[email protected]>: Recipient address rejected: Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs; MTA helo: odwsgs.com, MTA hostname: unknown[117.197.114.222] (helo/hostname mismatch); from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<odwsgs.com>
Oct 27 09:08:51 si68 postfix/smtpd[32646]: NOQUEUE: reject: RCPT from unknown[182.177.131.71]: 550 5.7.1 <[email protected]>: Recipient address rejected: Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs; MTA helo: rigplj.com, MTA hostname: unknown[182.177.131.71] (helo/hostname mismatch); from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<rigplj.com>
Oct 27 12:42:09 si68 postfix/smtpd[22119]: NOQUEUE: reject: RCPT from unknown[70.39.119.76]: 550 5.7.1 <[email protected]>: Recipient address rejected: temporarily blocked because of previous errors - retrying too fast. penalty: 30 seconds x 0 retries.; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<CT623.local>
Oct 27 14:03:12 si68 postfix/smtpd[30183]: NOQUEUE: reject: RCPT from unknown[91.79.137.194]: 550 5.7.1 <[email protected]>: Recipient address rejected: Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs; please relay via your ISP (mchi.org); Please use DynDNS; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<ppp91-79-137-194.pppoe.mtu-net.ru>
Oct 27 22:00:28 si68 postfix/smtpd[18310]: NOQUEUE: reject: RCPT from unknown[96.31.94.71]: 550 5.1.1 <[email protected]>: Recipient address rejected: User unknown; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<ipr-management-mail.com>
Oct 28 00:40:00 si68 postfix/smtpd[18319]: NOQUEUE: reject: RCPT from unknown[63.141.229.165]: 550 5.1.1 <[email protected]>: Recipient address rejected: User unknown; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<mx1.nnamedia.com>
Oct 28 04:05:14 si68 postfix/smtpd[9519]: NOQUEUE: reject: RCPT from unknown[70.39.119.76]: 550 5.7.1 <[email protected]>: Recipient address rejected: Your MTA is listed in too many DNSBLs; check http://www.robtex.com/rbl/70.39.119.76.html; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<CT623.local>
I'm not very good at regular expressions, but I came up with this:
[Definition]
failregex = reject: RCPT from (.*)\[<HOST>\]: (.*)spamtrap
However, when I test the above regex against the (46MB) maillog like so:
fail2ban-regex /var/log/maillog 'failregex = reject: RCPT from (.*)\[<HOST>\]: (.*)spamtrap'
The CPU goes nuts trying to process it. I figure the regex could be written more efficiently. Any suggestions?
Update: The IPs in the logfile above are only rejected for the particular transactions above. I want to completely block them. That is just a very small log excerpt. The very same spammer IPs aren't ONLY sending to spamtrap addresses, but also sending to real valid recipients, and are getting through.
In other words, I'd like to ban them the MOMENT they try the spamtrap address -- thus preventing further mails from the same IP from getting to a real person.
Have Win2008 Terminal Server. Works fine if only public NIC is enabled.
But you want to enable the private NIC as well. What happens? Boom, nobody can access the Terminal Server (via public NIC).
Have tried:
netsh interface ipv4 set interface "Private NIC" weakhostsend=enabled store=persistent
netsh interface ipv4 set interface "Private NIC" weakhostreceive=enabled store=persistent
netsh interface ipv4 set interface "Public NIC" weakhostsend=enabled store=persistent
netsh interface ipv4 set interface "Public NIC" weakhostreceive=enabled store=persistent
None of these worked.
route print output:
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 111.222.333.1 111.222.333.99 21
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.244.0 255.255.255.0 On-link 192.168.244.1 502
192.168.244.1 255.255.255.255 On-link 192.168.244.1 756
192.168.244.255 255.255.255.255 On-link 192.168.244.1 756
111.222.333.0 255.255.255.0 On-link 111.222.333.99 276
111.222.333.99 255.255.255.255 On-link 111.222.333.99 276
111.222.333.255 255.255.255.255 On-link 111.222.333.99 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 111.222.333.99 276
224.0.0.0 240.0.0.0 On-link 192.168.244.1 756
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 111.222.333.99 276
255.255.255.255 255.255.255.255 On-link 192.168.244.1 756
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 111.222.333.1 1
192.168.244.0 255.255.255.0 192.168.244.1 2
===========================================================================
Update: After the suggestion below, I checked the binding order and corrected it. This made it work -- until the server was restarted.
After a reboot, nobody could connect again. The binding order is still correct, with Remote Access Connections followed by Public NIC followed by Private NIC.
The difference is, AFTER THE RESTART, the Persistent Routes order in route print above reversed itself. So it becomes:
Persistent Routes:
Network Address Netmask Gateway Address Metric
192.168.244.0 255.255.255.0 192.168.244.1 2
0.0.0.0 0.0.0.0 111.222.333.1 1
Any ideas on how to get the previous Persistent Routes order to stick?
Have two RAID controllers on an IBM server (X3500 M3) running Windows 2008R2:
Can anyone explain how to get email alerts when a disk fails on either of these 2 IBM-provided controllers?
Can this be setup from within Windows 2008R2? I guess we would need to download appropriate monitoring software from IBM to do this ... but I can't find the right software to download.
Have an IBM System x3500 M3 that refuses to boot from the IBM branded LSI SAS card if any SATA drive is also connected to the mainboard. The system restarts itself over and over. No error messages. Just sits there with a blinking cursor until it restarts, and the process repeats.
Tried changing the boot order, resetting the BIOS to defaults, and nothing helps. Tried different SATA drive models from IBM/Hitachi and Seagate, blank/without operating systems, and the same thing happens. If we add a SATA drive with an OS, for example Linux, it boots off the SATA drive and does not boot off the SAS. (Want it to boot off the SAS.)
Remove the SATA drive(s) and the SAS RAID1 array boots fine. The SAS drive array is running VMWare ESXi.
Any suggestions?
Trying to resize 2 ntfs system and boot partitions (windows 2003 server) using GParted. Goal:
Tried resizing /dev/sda5 first and got the chkdsk error shown in screenshot #2. (You must run chkdsk /f). Have already run chkdsk /f on C: multiple times with no bad sectors or errors found. Have also run multiple chkdsk /f's on the underlying hard disk multiple times and rebooted way more than a couple times with the same error.
How do you force gparted to ignore this error and resize? I found there is --force option to ntfsresize but don't know how to get the GParted ISO live CD to use it.
How do you move the unallocated space so an extra ~750G is to the right of /dev/sda1 (D:), and an extra 10G to the right of /dev/sda5 (C:)
Say you have a directory with tens of thousands of messages in it. And you want to separate the spam from the non-spam.
Specifically, you would like to:
What command can you run to accomplish this? For example, some pseudocode:
/usr/local/bin/spamassassin -eL ./Maildir/cur/* | grep "X-Spam-Flag: YES" | mv %1 /tmp/spam
Trying to import 53,800+ individual files (messages) using Gmail's POP fetcher.
Gmail understandably refuses, giving the error: "Too many messages to download. There are too many messages on the other server."
The folder in question looks like similar to:
/usr/home/customer/Maildir/cur/1203672790.V57I586f04M867101.mail.net:2,S
/usr/home/customer/Maildir/cur/1203676329.V57I586f22M520117.mail.net:2,S
/usr/home/customer/Maildir/cur/1203677194.V57I586f26M688004.mail.net:2,S
/usr/home/customer/Maildir/cur/1203679158.V57I586f2bM182864.mail.net:2,S
/usr/home/customer/Maildir/cur/1203680493.V57I586f33M740378.mail.net:2,S
/usr/home/customer/Maildir/cur/1203685837.V57I586f0bM835200.mail.net:2,S
/usr/home/customer/Maildir/cur/1203687920.V57I586f65M995884.mail.net:2,S
...
Using the shell (tcsh, sh, etc. on FreeBSD), what one-line command can I type to split this directory full of files into separate folders so Gmail only sees 1000 messages at a time? Something with find or ls | xargs mv maybe. Whatever is fastest.
The desired output directory would now look something like:
/usr/home/customer/Maildir/cur/1203672790.V57I586f04M867101.mail.net:2,S
/usr/home/customer/Maildir/cur/1203676329.V57I586f22M520117.mail.net:2,S
...
/usr/home/customer/set1/ (contains messages 1-1000)
/usr/home/customer/set2/ (contains messages 1001-2000)
/usr/home/customer/set3/ (etc.)
When a spammer uses his botnet of thousands of zombie PCs to spam at random nonexistent addresses @example.com, at a very high rate of speed, postfix exhausts our VPS provider's resource limits trying to deal with it. Specifically, it exhausts the number of non-TCP sockets, which is limited to 900 by the VPS. Am running postfix 2.3.3-2.1.el5_2 on CentOS 5 on a Virtuozzo linux VPS.
/var/log/maillog says:
Feb 23 06:26:22 postfix/smtpd[3938]: warning: connect #1 to subsystem private/proxymap: Cannot allocate memory
Feb 23 06:26:22 postfix/smtpd[3936]: fatal: socket: Cannot allocate memory
Feb 23 06:26:48 postfix/qmgr[17702]: fatal: socket: Cannot allocate memory
Firewalling would be kind of tough because of the thousands of IPs involved in the dictionary attack.
The VPS provider suggested tuning the following parameters, but did not give suggestions on what to set them to:
max_idle = 100s (default)
max_use = 100 (default)
I found another person having the same problem with postfix and spammer dictionary attacks:
http://forums.vpslink.com/linux/394-you-hitting-socket-resource-limits-2.html#post5241
He changed:
default_process_limit from 100 (default) to 10
... which solved the problem but introduced a performance penalty.
I am unsure exactly which parameter should be safely tuned here, even after skimming postfix.org/TUNING%5FREADME.html Can any postfix expert help?