extended sendmail error msg in logfile
in [Sendmail]
|
From: Roman Buerkle on 10 Mar 2010 12:10 Hi we get a lot of dictionary attacks against our servers, who doesnt :), so i try to figure out, how to get more info into the error msg. now its like: /var/log/maillog Mar 4 15:57:50 blue2 sendmail[31004]: o24Ev9wS031004: <hb5580(a)xxxx.de>... No such user here Mar 4 15:58:02 blue2 sendmail[31414]: o24Ew1gx031414: <thomas(a)xxxxx.de>... No such user here Mar 4 15:58:10 blue2 sendmail[31004]: o24Ev9wT031004: <hb5580(a)yyyyy.net>... No such user here Mar 4 15:58:22 blue2 sendmail[31552]: o24EwL8h031552: <susanne.inmuth(a)zzz.de>... No such user here What i need to stop these guys would be to have the sender-ip-adress (i.e 123.123.123.123 ) in the logrow, something like this: Mar 4 15:57:50 blue2 sendmail[31004]: o24Ev9wS031004: hb5580(a)xxxx.de>... No such user here [123.123.123.123] Mar 4 15:58:02 blue2 sendmail[31414]: o24Ew1gx031414: <thomas(a)xxxxx.de>... No such user here [123.123.123.123] Mar 4 15:58:10 blue2 sendmail[31004]: o24Ev9wT031004: <hb5580(a)yyyyy.net>... No such user here [123.123.123.123] Mar 4 15:58:22 blue2 sendmail[31552]: o24EwL8h031552: <susanne.inmuth(a)zzz.de>... No such user here [123.123.123.123] My /etc/mail/virtusertable looks like: @mail.xxxx.de error:nouser No such user here Is there a way to configure this? Can anybody help me with that? Thanx in advance Roman
From: Robert Bonomi on 10 Mar 2010 16:02 In article <hn8jqo$s1g$1(a)news01.versatel.de>, Roman Buerkle <rob-sendmail(a)roman-b.de> wrote: >Hi > >we get a lot of dictionary attacks against our servers, who doesnt :), so >i try to figure out, how to get more info into the error msg. > >now its like: > >/var/log/maillog >Mar 4 15:57:50 blue2 sendmail[31004]: o24Ev9wS031004: ><hb5580(a)xxxx.de>... No such user here >Mar 4 15:58:02 blue2 sendmail[31414]: o24Ew1gx031414: ><thomas(a)xxxxx.de>... No such user here >Mar 4 15:58:10 blue2 sendmail[31004]: o24Ev9wT031004: ><hb5580(a)yyyyy.net>... No such user here >Mar 4 15:58:22 blue2 sendmail[31552]: o24EwL8h031552: ><susanne.inmuth(a)zzz.de>... No such user here > >What i need to stop these guys would be to have the sender-ip-adress (i.e >123.123.123.123 ) in the logrow, something like this: > >Mar 4 15:57:50 blue2 sendmail[31004]: o24Ev9wS031004: >hb5580(a)xxxx.de>... No such user here [123.123.123.123] >Mar 4 15:58:02 blue2 sendmail[31414]: o24Ew1gx031414: ><thomas(a)xxxxx.de>... No such user here [123.123.123.123] >Mar 4 15:58:10 blue2 sendmail[31004]: o24Ev9wT031004: ><hb5580(a)yyyyy.net>... No such user here [123.123.123.123] >Mar 4 15:58:22 blue2 sendmail[31552]: o24EwL8h031552: ><susanne.inmuth(a)zzz.de>... No such user here [123.123.123.123] > >My /etc/mail/virtusertable looks like: > >@mail.xxxx.de error:nouser No such user here > >Is there a way to configure this? >Can anybody help me with that? The information is _already_ in the log file. Just on different lines. You can match on either the reporting PID or, _better_, the internal message ID.
From: Roman Buerkle on 10 Mar 2010 16:16 On Wed, 10 Mar 2010 15:02:01 -0600, Robert Bonomi wrote: > The information is _already_ in the log file. Just on different lines. > > You can match on either the reporting PID or, _better_, the internal > message ID. Thanks Robert, but i need it in one line. I use fail2ban to stop them, but there's no possibility to match different lines :( Could it be patched somehow? Regards Roman
From: Roman Buerkle on 15 Mar 2010 10:54 just for info, i managed to get the spammer-ip behind the logline: /etc/mail/sendmail.cf: old: ----------------------- # handle virtual users ...... R< error : $-.$-.$- : $+ > $* $#error $@ $1.$2.$3 $: $4 R< error : $- $+ > $* $#error $@ $(dequote $1 $) $: $2 new: ----------------------- # handle virtual users ...... R< error : $-.$-.$- : $+ > $* $#error $@ $1.$2.$3 $: $4 [$&{client_addr}] R< error : $- $+ > $* $#error $@ $(dequote $1 $) $: $2 [$&{client_addr}] this produces: Mar 15 12:49:28 bx1 sendmail[12575]: o2FBn3SF012575: sdsjkhdsjkdhsjk(a)domain.com... No such user here[192.168.23.112]
|
Pages: 1 Prev: Descubra A Verdadeira Liberdade Financeira Com A TVI Express Next: blacklist problems |