You may discover some networks that are malicious (shadow nets) I maintain a list of these https://github.com/szepeviktor/debian-server-tools/tree/master/security/myattackers-ipsets
Use the shell scripts provided. And take a look at iptables rule counters weekly so you know how successful they are. Chain myattackers-ipset (1 references) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 match-set spidernet src reject-with icmp-port-unreachable 240 12305 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 match-set sks-lugan src reject-with icmp-port-unreachable 249 11847 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 match-set shodan-io src reject-with icmp-port-unreachable 105 4280 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 match-set security-scorecard src reject-with icmp-port-unreachable 1 40 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 match-set mirtelematiki src reject-with icmp-port-unreachable 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 match-set lu-root src reject-with icmp-port-unreachable 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 match-set leonlundberg src reject-with icmp-port-unreachable 3 120 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 match-set hostkey src reject-with icmp-port-unreachable 13 672 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 match-set ering.pl src reject-with icmp-port-unreachable 17 680 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 match-set elan.pl src reject-with icmp-port-unreachable 1002 40883 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 match-set ecatel src reject-with icmp-port-unreachable 4657K 1595M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 For example ecatel could have 1002 Courier authentication attacks without these rules. Idézem/Quoting Alexei Batyr' <le...@pcmag.ru>: > Gordon Messmer writes: > >> Authentication over plain text is only allowed if ESMTPAUTH is set in >> etc/courier/esmtpd. To maintain password security, that setting should >> be empty. Instead, use ESMTPAUTH_TLS to enable authentication only >> after TLS is initialized. > > Unfortunately spamers/fishers et al. already mastered SSL and STARTTLS and > successfully use them in brute force and other attacks. > >> I wrote earlier that protecting authentication with encryption would >> leave you with only tools like fail2ban. I should have mentioned that >> the other good option is using an authentication backend that'll lock >> accounts temporarily when there are repeated auth failures. > > Account locking seems not a good idea: attacker could easily and quickly > block all known to him user accounts on particular server. Fail2ban blocks > attacker's IPs instead, leaving legitimate user access to his mail. > Probably better solution would be a similar blocking at MTA level, without > log parsing and firing firewall rules. > > Just FYI: fail2ban block list of my relatively small mail server (approx. > 350 users) now contains more than 1500 IPs. Additional advantage - reducing > overall load to the server because blocked botnet members never more make > continuous connections to the MTA. > > -- > Alexei. > > ------------------------------------------------------------------------------ > Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San > Francisco, CA to explore cutting-edge tech and listen to tech luminaries > present their vision of the future. This family event has something for > everyone, including kids. Get more information and register today. > http://sdm.link/attshape > _______________________________________________ > courier-users mailing list > courier-users@lists.sourceforge.net > Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users SZÉPE Viktor -- +36-20-4242498 s...@szepe.net skype: szepe.viktor Budapest, III. kerület ------------------------------------------------------------------------------ Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San Francisco, CA to explore cutting-edge tech and listen to tech luminaries present their vision of the future. This family event has something for everyone, including kids. Get more information and register today. http://sdm.link/attshape _______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users