I’ve added fail2ban to the SL7 version of our auth smtp service. None of the sendmail filters that come with the fail2ban RPM seemed like they’d do the trick for us, so I’ve just overridden the supplied
filter.d/sendmail-auth.conf with a
sendmail-auth.local containing just:
[Definition] failregex = ^%(__prefix_line)s.*AUTH failure.*\[\]( \(may be forged\))?$
Though that isn’t enough to get it to match, as the default log level (9) for sendmail doesn’t log auth failures. So we also have to run at log level 10.
Currently I’m using the local
lcfg-hostsdeny and tcpwrappers template like sshd does, but we should probably look at using iptables instead.
In the few days its been running, 21 IP addresses have been banned.