Dovecot AUTH when not advertised should be penalized

Issue #89 resolved
Former user created an issue
  • sshguard 1.7.1-1
  • debian 9.4
  • Invocation
/bin/sh /usr/lib/sshguard/sshguard-journalctl -i /run/sshguard.pid -w /etc/sshguard/whitelist -a 40 -p 420 -s 5400 -l /var/log/auth.log -l /var/log/mail.log -l /var/log/exim4/mainlog
...
/usr/sbin/sshguard -i /run/sshguard.pid -w /etc/sshguard/whitelist -a 40 -p 420 -s 5400 -l /var/log/auth.log -l /var/log/mail.log -l /var/log/exim4/mainlog
  • iptables

We get hundreds of attacks like this:

2018-06-03 13:16:08 SMTP protocol error in "AUTH LOGIN" H=(mail.example.com) [123.24.161.123] AUTH command used when not advertised: 1 Time(s)

And this:

2018-06-03 13:35:07 SMTP protocol error in "AUTH LOGIN" H=dynamic-186-31-81-98.dynamic.etb.net.co (mail.example.com) [186.31.81.98] AUTH command used when not advertised: 1 Time(s)

I would love for sshguard to use these as inputs to decide to block

Comments (7)

  1. Log in to comment