Dovecot AUTH when not advertised should be penalized

Create issue
Issue #89 resolved
Former user created an issue
  • sshguard 1.7.1-1
  • debian 9.4
  • Invocation
/bin/sh /usr/lib/sshguard/sshguard-journalctl -i /run/sshguard.pid -w /etc/sshguard/whitelist -a 40 -p 420 -s 5400 -l /var/log/auth.log -l /var/log/mail.log -l /var/log/exim4/mainlog
...
/usr/sbin/sshguard -i /run/sshguard.pid -w /etc/sshguard/whitelist -a 40 -p 420 -s 5400 -l /var/log/auth.log -l /var/log/mail.log -l /var/log/exim4/mainlog
  • iptables

We get hundreds of attacks like this:

2018-06-03 13:16:08 SMTP protocol error in "AUTH LOGIN" H=(mail.example.com) [123.24.161.123] AUTH command used when not advertised: 1 Time(s)

And this:

2018-06-03 13:35:07 SMTP protocol error in "AUTH LOGIN" H=dynamic-186-31-81-98.dynamic.etb.net.co (mail.example.com) [186.31.81.98] AUTH command used when not advertised: 1 Time(s)

I would love for sshguard to use these as inputs to decide to block

Comments (8)

  1. Kevin Zheng

    This looks very similar to the exim "auth command used when not advertised" that recently landed. I'll take a look at supporting the Dovecot version.

  2. Log in to comment