ISPC3, Buster, perfect setup. I have a problem with one of the IP hammering my server every second or less. Code: Sep 5 14:39:13 panda postfix/smtpd[20373]: NOQUEUE: reject: RCPT from unknown[72.164.208.101]: 450 4.7.1 <Edco-Edge.edco.local>: Helo command rejected: Host not found; from=<> to=<slr@domain_of_my_client> proto=ESMTP helo=<Edco-Edge.edco.local> I would like to set up Fail2ban to block these attacks. I tried several rules, regxp and so on, but no success (from examples from Google search). Does anybody have suggestion, how to do it properly?
You have to give more information to help you. The general approach is: 1. Enable postfix (or postfix-sasl) in fail2ban in file /etc/fail2ban/jail.local 2. Add or adjust your rule to /etc/fail2ban/filter.d/postfix.conf (or postfix-sasl.conf 3. Restart fail2ban 4. Watch your success: watch -d -n 10 fail2ban-client status postfix You can test your regex online with some tools like: https://regex101.com/
Thanks, it's working now. If anyone has the same problem, here is how it's done: /etc/fail2ban/jail.local, added: Code: [postfix] enabled = true port = smtp,ssmtp,submission filter = postfix logpath = /var/log/mail.log maxretry = 50 /etc/fail2ban/filter.d/postfix.conf added: Code: failregex = <mdre-<mode>> ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$ ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$ ^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[<HOST>\]: 550 5\.1\.1 .*$ ^%(__prefix_line)simproper command pipelining after \S+ from [^[]*\[<HOST>\]:?$ ^%(__prefix_line)sNOQUEUE: reject: RCPT from (.*)\[<HOST>\]: 454 4\.7\.1\.*
