On Thu, 2023-06-22 at 16:27 +0100, Nick Howitt via Fail2ban-users wrote: > > > On 2023-06-22 12:58, André Rodier via Fail2ban-users wrote: > > Hello, all. > > > > I just set-up a new server, running postfix, with submission(s) > > activated on standard ports (587, 465) > > > > Shortly after it has been setup, I see brute force attacks (not > > surprising) from a whole /24 network (more surprising). > > > > I carefully checked the logs, and see the modus operandi, which > > basically loop across the IP addresses in the network, > > to avoid being blacklisted by tools like fail2ban. And it is true, > > even with fail2ban activated, no IP is blacklisted. > > > > By activating verbose logging, I see multiple user names are tried, > > not only passwords. > > > > Is there any way, with postfix, to run a script on authentication > > failure, with information like the IP address and the > > username passed, for instance. > > > > I basically need features that fail2ban doesn't offer > > > > - I would like to not rely on reading logs, removing one step and > > acting more pro-actively. > > - If a script is called on authentication failure, it is fairly easy > > to use a Levenshtein distance to differentiate > > between a user having lost his password and a brute force attack. > > - If I log all the failure in a database, with the IP address, and the > > whois information, the script would take decision > > according to the whois information. > > > > What are you using on your side ? > > > > - Do you know any service, that I could use, to get the network to ban > > from an IP address reputation, something like > > crowdsec, for instance ? > > - Anyone has success with Suricata, Snort, or a tool like this ? > > > > Please, do not suggest third party hosted services, I want to be part > > of my self-hosting solution. > > > > Kind regards, > > André > > Are you sure the attacks are on port 465/587. All the big ones I used to > see were on 25 with user/pass. There is still little action on 587 as > far as I can see. There is a bit. I don't use 465. > > What I have done is come at it from a completely different angle. Don't > allow authentication on 25! If anyone needs to authenticate they have to > use 587. If you're lazy you can allow unauthenticated connections from > your LAN to save reconfiguring all internal devices, but for external > devices, port 587 only. You still leave 25 open as you need it to > receive emails. > > > _______________________________________________ > Fail2ban-users mailing list > fail2ban-us...@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fail2ban-users
Yes, it is definitely happening on submission. I will probably end-up using a VPN for submission and not expose these ports on internet. Kind regards, André
_______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
