I’ve installed BFD and I’m really liking how it’s blocking SSH login attempts, but my real problem is with qmail. Are there any BFD guru’s out there? What I’d like to do is to block a user from sending too many emails through the server. Here is the specific rule file for qmail
# failed logins from a single address before ban# uncomment to override conf.bfd trig value
TRIG="3"
# uncomment to disable alerting for this rule
# SKIP_ALERT="1"
# file must exist for rule to be active
REQ="/var/qmail/bin/qmail-pop3d"
if [ -f "$REQ" ]; then
PORTS="110,143,993,995"
LP="/var/log/maillog"
TLOG_TF="vpopmail"
## vpopmail [qmail]
ARG_VAL=`$TLOG_PATH $LP $TLOG_TF | sed -e 's/::ffff://' | grep -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | sed -n -e '/vchkpw-pop3: password fail/s/.*password fail \([^ ]*\)\(.*\):\([^ ]*\).*/\3:\1/p' -e '/vchkpw-pop3: system user not found/s/.*system user not found \([^ ]*\)\(.*\):\([^ ]*\).*/\3:\1/p' -e '/vchkpw-pop3: vpopmail user not found/s/.*vpopmail user not found \([^ ]*\)\(.*\):\([^ ]*\).*/\3:\1/p'`
fi
But what I’m looking for is to block multiple attempts (set by TRIG) from a certain email address. The log looks like this:
Mar 10 13:46:24 centos6 vpopmail[4460]: vchkpw-submission: (PLAIN) login success [email address]:104.174.194.xxx
Mar 10 13:46:25 centos6 vpopmail[4484]: vchkpw-submission: (PLAIN) login success [email address]:104.174.194.xxx
Mar 10 13:46:38 centos6 vpopmail[4522]: vchkpw-submission: (PLAIN) login success [email address]:187.190.135.xxx
Mar 10 13:46:41 centos6 vpopmail[4537]: vchkpw-submission: (PLAIN) login success [email address]:187.190.135.xxx
Mar 10 13:47:14 centos6 vpopmail[4600]: vchkpw-submission: (PLAIN) login success [email address]:107.10.181.xxx
Mar 10 13:47:17 centos6 vpopmail[4609]: vchkpw-submission: (PLAIN) login success [email address]:100.36.114.xxx
Mar 10 13:47:49 centos6 vpopmail[4678]: vchkpw-submission: (PLAIN) login success [email address]:104.174.194.xxx
Mar 10 13:47:51 centos6 vpopmail[4705]: vchkpw-submission: (PLAIN) login success [email address]:104.174.194.xxx
How do I change the ARG_VAL to read these ‘good’ logins and capture them so I can set a threshold to ban an IP?
In addition does anyone know how to ban using BFD for a period of time rather than forever?
Thanks!