I see the same non smtp requests in my maillog and I can't figure out, what is missing so those requests can be blocked.
fail2ban is setup and I have configured a jail.local file. How can I block those 6 requests:
Feb 10 10:58:57 host postfix/submission/smtpd[5167]: warning: non-SMTP command from unknown[161.35.7.72]: GET /system_api.php HTTP/1.1
Feb 10 10:58:57 host postfix/submission/smtpd[5167]: warning: non-SMTP command from unknown[161.35.7.72]: GET /c/version.js HTTP/1.1
Feb 10 10:58:58 host postfix/submission/smtpd[5167]: warning: non-SMTP command from unknown[161.35.7.72]: GET /streaming/clients_live.php HTTP/1.1
Feb 10 10:58:58 host postfix/submission/smtpd[5167]: warning: non-SMTP command from unknown[161.35.7.72]: GET /stalker_portal/c/version.js HTTP/1.1
Feb 10 10:58:58 host postfix/submission/smtpd[5167]: warning: non-SMTP command from unknown[161.35.7.72]: GET /client_area/ HTTP/1.1
Feb 10 10:58:59 host postfix/submission/smtpd[5167]: warning: non-SMTP command from unknown[161.35.7.72]: GET /stalker_portal/c/ HTTP/1.1
The jail.local for postfix config is shown below:
[postfix]
# To use another modes set filter parameter "mode" in jail.local:
enabeld = true
mode = more
port = smtp,ssmtp,submission
logpath = %(postfix_log)s
backend = %(postfix_backend)s
bantime = 1000
findtime = 10000
maxretry = 3
maxmatches = %(maxretry)s
bantime.increment = true
bantime.rndtime = 1000
bantime.factor = 1
bantime.formula = ban.Time * (1<<(ban.Count if ban.Count<20 else 20)) * banFactor
bantime.multipliers = 1 2 4 8 16 32 64
bantime.overalljails = true
It looks like the postfix default rules are not blocking / banning those non-smtp requests. What am I missing here?
the missing part was the "HOST" in the filter, so fail2ban knows which IP to ban.
the filter now looks like this:
[Definition]
failregex = ^.*\[<HOST>].*system\_api
^.*\[<HOST>].*c\/version\.js
^.*\[<HOST>].*streaming\/clients
^.*\[<HOST>].*client\_area
^.*\[<HOST>].*stalker\_portal
datepattern = ^[^\[]*\[({DATE})
{^LN-BEG}
ignoreregex =