Hi, list,
I have a new mail server (CentOS7+Postfix) and I installed fail2ban.
After few days I found in the fail2ban log:
2015-09-15 19:33:10,979 fail2ban.filter [2342]: INFO
[postfix-sasl] Found 74.208.72.135
2015-09-15 19:54:04,250 fail2ban.filter [2342]: INFO
[postfix-sasl] Found 74.208.72.135
2015-09-15 20:15:15,660 fail2ban.filter [2342]: INFO
[postfix-sasl] Found 74.208.72.135
2015-09-15 20:36:08,437 fail2ban.filter [2342]: INFO
[postfix-sasl] Found 74.208.72.135
2015-09-15 20:57:22,884 fail2ban.filter [2342]: INFO
[postfix-sasl] Found 74.208.72.135
2015-09-15 21:18:34,396 fail2ban.filter [2342]: INFO
[postfix-sasl] Found 74.208.72.135
2015-09-15 21:39:34,773 fail2ban.filter [2342]: INFO
[postfix-sasl] Found 74.208.72.135
2015-09-15 22:00:33,531 fail2ban.filter [2342]: INFO
[postfix-sasl] Found 74.208.72.135
2015-09-15 22:21:42,465 fail2ban.filter [2342]: INFO
[postfix-sasl] Found 74.208.72.135
2015-09-15 22:42:49,322 fail2ban.filter [2342]: INFO
[postfix-sasl] Found 74.208.72.135
2015-09-15 23:03:56,760 fail2ban.filter [2342]: INFO
[postfix-sasl] Found 74.208.72.135
2015-09-15 23:25:05,215 fail2ban.filter [2342]: INFO
[postfix-sasl] Found 74.208.72.135
2015-09-15 23:46:00,995 fail2ban.filter [2342]: INFO
[postfix-sasl] Found 74.208.72.135
2015-09-16 00:07:07,268 fail2ban.filter [2342]: INFO
[postfix-sasl] Found 74.208.72.135
2015-09-16 00:28:10,683 fail2ban.filter [2342]: INFO
[postfix-sasl] Found 74.208.72.135
2015-09-16 00:49:19,110 fail2ban.filter [2342]: INFO
[postfix-sasl] Found 74.208.72.135
There are also more attacks from other IPs like this. Those are the
hackers trying to use our postfix to relay their spam mails. But I use SASL
to authenticate user so the access is denied. So in my maillog, for
example, it has :
Sep 16 00:49:18 szeta postfix/smtpd[23415]: connect from
s15434454.onlinehome-server.com[74.208.72.135]
Sep 16 00:49:18 szeta postfix/smtpd[23415]: warning:
s15434454.onlinehome-server.com[74.208.72.135]: SASL LOGIN
authentication failed: authe
ntication failure
Sep 16 00:49:18 szeta postfix/smtpd[23415]: lost connection after AUTH
from s15434454.onlinehome-server.com[74.208.72.135]
Sep 16 00:49:18 szeta postfix/smtpd[23415]: disconnect from
s15434454.onlinehome-server.com[74.208.72.135]
In my jail.local, I have:
[default]
findtime=1200
[postfix-sasl]
enabled = true
port = smtp,465,submission,imap3,imaps,pop3,pop3s
logpath = %(postfix_log)s
action = %(action_mwl)s
bantime = 10800
maxretry = 3
Since this attack happens once an hour from a single IP. It just try one
time then stopped. It try again in the next hour. So the result is it
does not get banned! It just put a entry in the fial2ban.log with FOUND.
I did a test yesterday and set the maxretry=1 and I see lots IP get
banned. But this is too much and may also affect out normal user.
Ideally I would like to set maxretry=5.
How can I deal with this kind of attack? Please help. Thanks.
Gao
------------------------------------------------------------------------------
Monitor Your Dynamic Infrastructure at Any Scale With Datadog!
Get real-time metrics from all of your servers, apps and tools
in one place.
SourceForge users - Click here to start your Free Trial of Datadog now!
http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
