Use the sasl log for the filter with a longer find time for example
259200 (3 days) with a maxretry of 5 and a ban time of
604800 (1 week) but even this will not stop the attempt's, but it will
slow them down.
On Thu, 2015-09-17 at 09:15 -0700, Gao wrote:
> Hi, list,
>
> I have a new mail server (CentOS7+Postfix) and I installed fail2ban.
> After few days I found in the fail2ban log:
> 2015-09-15 19:33:10,979 fail2ban.filter [2342]: INFO
> [postfix-sasl] Found 74.208.72.135
> 2015-09-15 19:54:04,250 fail2ban.filter [2342]: INFO
> [postfix-sasl] Found 74.208.72.135
> 2015-09-15 20:15:15,660 fail2ban.filter [2342]: INFO
> [postfix-sasl] Found 74.208.72.135
> 2015-09-15 20:36:08,437 fail2ban.filter [2342]: INFO
> [postfix-sasl] Found 74.208.72.135
> 2015-09-15 20:57:22,884 fail2ban.filter [2342]: INFO
> [postfix-sasl] Found 74.208.72.135
> 2015-09-15 21:18:34,396 fail2ban.filter [2342]: INFO
> [postfix-sasl] Found 74.208.72.135
> 2015-09-15 21:39:34,773 fail2ban.filter [2342]: INFO
> [postfix-sasl] Found 74.208.72.135
> 2015-09-15 22:00:33,531 fail2ban.filter [2342]: INFO
> [postfix-sasl] Found 74.208.72.135
> 2015-09-15 22:21:42,465 fail2ban.filter [2342]: INFO
> [postfix-sasl] Found 74.208.72.135
> 2015-09-15 22:42:49,322 fail2ban.filter [2342]: INFO
> [postfix-sasl] Found 74.208.72.135
> 2015-09-15 23:03:56,760 fail2ban.filter [2342]: INFO
> [postfix-sasl] Found 74.208.72.135
> 2015-09-15 23:25:05,215 fail2ban.filter [2342]: INFO
> [postfix-sasl] Found 74.208.72.135
> 2015-09-15 23:46:00,995 fail2ban.filter [2342]: INFO
> [postfix-sasl] Found 74.208.72.135
> 2015-09-16 00:07:07,268 fail2ban.filter [2342]: INFO
> [postfix-sasl] Found 74.208.72.135
> 2015-09-16 00:28:10,683 fail2ban.filter [2342]: INFO
> [postfix-sasl] Found 74.208.72.135
> 2015-09-16 00:49:19,110 fail2ban.filter [2342]: INFO
> [postfix-sasl] Found 74.208.72.135
>
> There are also more attacks from other IPs like this. Those are the
> hackers trying to use our postfix to relay their spam mails. But I use
> SASL
> to authenticate user so the access is denied. So in my maillog, for
> example, it has :
> Sep 16 00:49:18 szeta postfix/smtpd[23415]: connect from
> s15434454.onlinehome-server.com[74.208.72.135]
> Sep 16 00:49:18 szeta postfix/smtpd[23415]: warning:
> s15434454.onlinehome-server.com[74.208.72.135]: SASL LOGIN
> authentication failed: authe
> ntication failure
> Sep 16 00:49:18 szeta postfix/smtpd[23415]: lost connection after AUTH
> from s15434454.onlinehome-server.com[74.208.72.135]
> Sep 16 00:49:18 szeta postfix/smtpd[23415]: disconnect from
> s15434454.onlinehome-server.com[74.208.72.135]
>
> In my jail.local, I have:
> [default]
> findtime=1200
>
> [postfix-sasl]
> enabled = true
> port = smtp,465,submission,imap3,imaps,pop3,pop3s
> logpath = %(postfix_log)s
> action = %(action_mwl)s
> bantime = 10800
> maxretry = 3
>
> Since this attack happens once an hour from a single IP. It just try
> one time then stopped. It try again in the next hour. So the result is
> it does not get banned! It just put a entry in the fial2ban.log with
> FOUND.
>
> I did a test yesterday and set the maxretry=1 and I see lots IP get
> banned. But this is too much and may also affect out normal user.
> Ideally I would like to set maxretry=5.
>
> How can I deal with this kind of attack? Please help. Thanks.
>
> Gao
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> Monitor Your Dynamic Infrastructure at Any Scale With Datadog!
> Get real-time metrics from all of your servers, apps and tools
> in one place.
> SourceForge users - Click here to start your Free Trial of Datadog now!
> http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140
> _______________________________________________ Fail2ban-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
------------------------------------------------------------------------------
Monitor Your Dynamic Infrastructure at Any Scale With Datadog!
Get real-time metrics from all of your servers, apps and tools
in one place.
SourceForge users - Click here to start your Free Trial of Datadog now!
http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
