fail2ban vs. syslogd compression

Hello everybody,

I believe this belongs to the security-mailing list. I recently took a server online and it was immediately hit by pop3-cracking attempts. Well, they were quite stupid, since they were attempting once for each name taken from a 'frequent names list', so I guess somebody was looking for non-password protected accounts. However, being annoyed, I wanted to tweak fail2ban, which I am already using for ssh, to pop3 and imap, too. No problem, standard debian /etc/fail2ban/jail.conf issue has the relevant sections, so I went ahead.

But then I ran a test, and fail2ban didn't respond. The reason was that I hit the server 5 times (my fail2ban max-retry) in quite a short time, so instead of logging 'pop3: login failed <host>' 5 times to mail.log, it logged the message once and afterwards issued 'last message repeated 4 times', which is not helpful at all to fail2ban. However, I consider it a realworld scenario that a cracker/script kiddy would hit the server in a short time.

I then sought to disable this kind of log compression, but it is not stated in the man pages how to do that. While the freebsd syslogd seems to have such a commandline switch (-c -c ), the syslogd shipped with debian doesn't have it, and syslogd-ng seems to not have it, either.

So I ended up with not knowing what to do and turned to the debian security list. you people have any idea, or what are you doing?

kind regards

Maxim

-- 
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org