If you are using user/pass authentication, can you switch your users
to use either SMTL/SSL on port 465 or STARTTLS on 587? Then when you
get a relay access denied you can immediately ban the IP on the
first occurrence of the "relay access denied" message.
I hijacked the postfix filter and used the single regex line:
failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from
\S+\[<HOST>\]: 554 5\.7\.1 .* Relay access denied.*$
Nick
On 17/09/2015 17:29, Harrison Johnson
wrote:
Use the sasl log for the filter with a longer find time for
example 259200 (3 days) with a maxretry of 5 and a ban time of
604800 (1 week) but even this will not stop the attempt's, but it
will slow them down.
On Thu, 2015-09-17 at 09:15 -0700, Gao wrote:
Hi, list,
I have a new mail server (CentOS7+Postfix) and I installed
fail2ban. After few days I found in the fail2ban log:
2015-09-15 19:33:10,979 fail2ban.filter [2342]: INFO
[postfix-sasl] Found 74.208.72.135
2015-09-15 19:54:04,250 fail2ban.filter [2342]: INFO
[postfix-sasl] Found 74.208.72.135
2015-09-15 20:15:15,660 fail2ban.filter [2342]: INFO
[postfix-sasl] Found 74.208.72.135
2015-09-15 20:36:08,437 fail2ban.filter [2342]: INFO
[postfix-sasl] Found 74.208.72.135
2015-09-15 20:57:22,884 fail2ban.filter [2342]: INFO
[postfix-sasl] Found 74.208.72.135
2015-09-15 21:18:34,396 fail2ban.filter [2342]: INFO
[postfix-sasl] Found 74.208.72.135
2015-09-15 21:39:34,773 fail2ban.filter [2342]: INFO
[postfix-sasl] Found 74.208.72.135
2015-09-15 22:00:33,531 fail2ban.filter [2342]: INFO
[postfix-sasl] Found 74.208.72.135
2015-09-15 22:21:42,465 fail2ban.filter [2342]: INFO
[postfix-sasl] Found 74.208.72.135
2015-09-15 22:42:49,322 fail2ban.filter [2342]: INFO
[postfix-sasl] Found 74.208.72.135
2015-09-15 23:03:56,760 fail2ban.filter [2342]: INFO
[postfix-sasl] Found 74.208.72.135
2015-09-15 23:25:05,215 fail2ban.filter [2342]: INFO
[postfix-sasl] Found 74.208.72.135
2015-09-15 23:46:00,995 fail2ban.filter [2342]: INFO
[postfix-sasl] Found 74.208.72.135
2015-09-16 00:07:07,268 fail2ban.filter [2342]: INFO
[postfix-sasl] Found 74.208.72.135
2015-09-16 00:28:10,683 fail2ban.filter [2342]: INFO
[postfix-sasl] Found 74.208.72.135
2015-09-16 00:49:19,110 fail2ban.filter [2342]: INFO
[postfix-sasl] Found 74.208.72.135
There are also more attacks from other IPs like this. Those are
the hackers trying to use our postfix to relay their spam mails.
But I use SASL
to authenticate user so the access is denied. So in my maillog,
for example, it has :
Sep 16 00:49:18 szeta postfix/smtpd[23415]: connect from
s15434454.onlinehome-server.com[74.208.72.135]
Sep 16 00:49:18 szeta postfix/smtpd[23415]: warning:
s15434454.onlinehome-server.com[74.208.72.135]: SASL LOGIN
authentication failed: authe
ntication failure
Sep 16 00:49:18 szeta postfix/smtpd[23415]: lost connection
after AUTH from s15434454.onlinehome-server.com[74.208.72.135]
Sep 16 00:49:18 szeta postfix/smtpd[23415]: disconnect from
s15434454.onlinehome-server.com[74.208.72.135]
In my jail.local, I have:
[default]
findtime=1200
[postfix-sasl]
enabled = true
port = smtp,465,submission,imap3,imaps,pop3,pop3s
logpath = %(postfix_log)s
action = "">
bantime = 10800
maxretry = 3
Since this attack happens once an hour from a single IP. It just
try one time then stopped. It try again in the next hour. So the
result is it does not get banned! It just put a entry in the
fial2ban.log with FOUND.
I did a test yesterday and set the maxretry=1 and I see lots IP
get banned. But this is too much and may also affect out normal
user. Ideally I would like to set maxretry=5.
How can I deal with this kind of attack? Please help. Thanks.
Gao
------------------------------------------------------------------------------
Monitor Your Dynamic Infrastructure at Any Scale With Datadog!
Get real-time metrics from all of your servers, apps and tools
in one place.
SourceForge users - Click here to start your Free Trial of Datadog now!
http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
------------------------------------------------------------------------------
Monitor Your Dynamic Infrastructure at Any Scale With Datadog!
Get real-time metrics from all of your servers, apps and tools
in one place.
SourceForge users - Click here to start your Free Trial of Datadog now!
http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
|
