I have blocked an IP using route add -host 121.35.76.51 reject but the same IP is still showing repeatedly in mail warn log for the login attempts like Nov 23 03:57:20 server1 postfix/smtpd[27250]: warning: unknown[121.35.76.51]: SASL LOGIN authentication failed: authentication failure Nov 23 03:57:21 server1 postfix/smtpd[27250]: warning: 121.35.76.51: hostname 51.76.35.121.broad.sz.gd.dynamic.163data.com.cn verification failed: No address associated with hostname Nov 23 03:57:23 server1 postfix/smtpd[27250]: warning: unknown[121.35.76.51]: SASL LOGIN authentication failed: authentication failure Nov 23 03:57:24 server1 postfix/smtpd[27250]: warning: 121.35.76.51: hostname 51.76.35.121.broad.sz.gd.dynamic.163data.com.cn verification failed: No address associated with hostname Please help.
You can use iptables: iptables -A INPUT -s 121.35.76.51 -j DROP or use fail2ban, it block automatically. Cheers
I am already using fail2ban. but I think before fail2ban acts, the attempts to login runs in 100s of attempts, how can I set a rule that any failed attempts are acted upon immediately for say 5 failed attempts. Thanks
You can set the number of failed login attempts in your fail2ban configuration (in the /etc/fail2ban/ directory).
