Hello,
I have in logs (i place only interesting lines):
Dec 30 11:07:31 myhost postfix/smtpd[xxxxxx]: warning: unknown[yyy.192.246.28]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Dec 30 11:09:32 myhost postfix/smtpd[xxxxxx]: warning: unknown[yyy.192.246.82]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Dec 30 11:10:51 myhost postfix/smtpd[xxxxxx]: warning: unknown[yyy.192.246.37]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Dec 30 11:12:01 myhost postfix/smtpd[xxxxxx]: warning: unknown[yyy.192.246.187]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Dec 30 11:15:31 myhost postfix/smtpd[xxxxxx]: warning: unknown[yyy.192.246.67]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Dec 30 11:16:17 myhost postfix/smtpd[xxxxxx]: warning: unknown[yyy.192.246.211]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Dec 30 11:18:32 myhost postfix/smtpd[xxxxxx]: warning: unknown[yyy.192.246.11]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Dec 30 11:20:21 myhost postfix/smtpd[xxxxxx]: warning: unknown[yyy.192.246.77]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Dec 30 11:22:33 myhost postfix/smtpd[xxxxxx]: warning: unknown[yyy.192.246.166]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Dec 30 11:23:55 myhost postfix/smtpd[xxxxxx]: warning: unknown[yyy.192.246.228]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Dec 30 11:20:35 myhost sshd[xxxxxx]: Failed password for root from zzz.147.4.25 port XXXXXX ssh2
Dec 30 11:22:55 myhost sshd[xxxxxx]: Failed password for root from zzz.147.4.189 port XXXXXX ssh2
Dec 30 11:25:12 myhost sshd[xxxxxx]: Failed password for root from zzz.147.4.121 port XXXXXX ssh2
Dec 30 11:26:21 myhost sshd[xxxxxx]: Failed password for root from zzz.147.4.111 port XXXXXX ssh2
Dec 30 11:28:58 myhost sshd[xxxxxx]: Failed password for root from zzz.147.4.78 port XXXXXX ssh2
Dec 30 11:31:47 myhost sshd[xxxxxx]: Failed password for root from zzz.147.4.211 port XXXXXX ssh2
Dec 30 11:33:55 myhost sshd[xxxxxx]: Failed password for root from zzz.147.4.56 port XXXXXX ssh2
Dec 30 11:37:11 myhost sshd[xxxxxx]: Failed password for root from zzz.147.4.45 port XXXXXX ssh2
Because the attempts come from different ip addresses (but same subnet), in most cases the IP addresses are not repeated in an interval of 10 or 20 minutes they cant hit the trigger and the filters skips them.
Is it possible to monitor the subnet and ban the entire subnet (yyy.192.246.0/24 and zzz.147.4.0/24) after X attempts from subnet different ip addresses? And how?
Thank you!