I forgot to add, with my suggestion below you then turn off all user/pass authentication on port 25, and if, you have a lot of fixed LAN machines which you don't want to configure and are confident of your LAN security, you then put your LAN in trusted networks.
This way anyone on your LAN can keep going as before, your users outside you LAN will authenticate on 465 or 587 (authentication being stored in their clients). Then anyone trying to relay through you has either authenticated on 465/587 so relaying won't be denied or they will be hostile and so can be banned immediately on the first occurrence of an attempted relay. Nick On 2015-09-17 18:11, Nick Howitt wrote: > If you are using user/pass authentication, can you switch your users > to use either SMTL/SSL on port 465 or STARTTLS on 587? Then when you > get a relay access denied you can immediately ban the IP on the first > occurrence of the "relay access denied" message. > > I hijacked the postfix filter and used the single regex line: > failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from S+[<HOST>]: > 554 5.7.1 .* Relay access denied.*$ > > Nick > > On 17/09/2015 17:29, Harrison Johnson wrote: > >> Use the sasl log for the filter with a longer find time for example >> 259200 (3 days) with a maxretry of 5 and a ban time of >> 604800 (1 week) but even this will not stop the attempt's, but it >> will slow them down. >> On Thu, 2015-09-17 at 09:15 -0700, Gao wrote: >> >>> Hi, list, >>> >>> I have a new mail server (CentOS7+Postfix) and I installed >>> fail2ban. After few days I found in the fail2ban log: >>> 2015-09-15 19:33:10,979 fail2ban.filter [2342]: INFO >>> [postfix-sasl] Found 74.208.72.135 >>> 2015-09-15 19:54:04,250 fail2ban.filter [2342]: INFO >>> [postfix-sasl] Found 74.208.72.135 >>> 2015-09-15 20:15:15,660 fail2ban.filter [2342]: INFO >>> [postfix-sasl] Found 74.208.72.135 >>> 2015-09-15 20:36:08,437 fail2ban.filter [2342]: INFO >>> [postfix-sasl] Found 74.208.72.135 >>> 2015-09-15 20:57:22,884 fail2ban.filter [2342]: INFO >>> [postfix-sasl] Found 74.208.72.135 >>> 2015-09-15 21:18:34,396 fail2ban.filter [2342]: INFO >>> [postfix-sasl] Found 74.208.72.135 >>> 2015-09-15 21:39:34,773 fail2ban.filter [2342]: INFO >>> [postfix-sasl] Found 74.208.72.135 >>> 2015-09-15 22:00:33,531 fail2ban.filter [2342]: INFO >>> [postfix-sasl] Found 74.208.72.135 >>> 2015-09-15 22:21:42,465 fail2ban.filter [2342]: INFO >>> [postfix-sasl] Found 74.208.72.135 >>> 2015-09-15 22:42:49,322 fail2ban.filter [2342]: INFO >>> [postfix-sasl] Found 74.208.72.135 >>> 2015-09-15 23:03:56,760 fail2ban.filter [2342]: INFO >>> [postfix-sasl] Found 74.208.72.135 >>> 2015-09-15 23:25:05,215 fail2ban.filter [2342]: INFO >>> [postfix-sasl] Found 74.208.72.135 >>> 2015-09-15 23:46:00,995 fail2ban.filter [2342]: INFO >>> [postfix-sasl] Found 74.208.72.135 >>> 2015-09-16 00:07:07,268 fail2ban.filter [2342]: INFO >>> [postfix-sasl] Found 74.208.72.135 >>> 2015-09-16 00:28:10,683 fail2ban.filter [2342]: INFO >>> [postfix-sasl] Found 74.208.72.135 >>> 2015-09-16 00:49:19,110 fail2ban.filter [2342]: INFO >>> [postfix-sasl] Found 74.208.72.135 >>> >>> There are also more attacks from other IPs like this. Those are >>> the hackers trying to use our postfix to relay their spam mails. >>> But I use SASL >>> to authenticate user so the access is denied. So in my maillog, >>> for example, it has : >>> Sep 16 00:49:18 szeta postfix/smtpd[23415]: connect from >>> s15434454.onlinehome-server.com[74.208.72.135] >>> Sep 16 00:49:18 szeta postfix/smtpd[23415]: warning: >>> s15434454.onlinehome-server.com[74.208.72.135]: SASL LOGIN >>> authentication failed: authe >>> ntication failure >>> Sep 16 00:49:18 szeta postfix/smtpd[23415]: lost connection after >>> AUTH from s15434454.onlinehome-server.com[74.208.72.135] >>> Sep 16 00:49:18 szeta postfix/smtpd[23415]: disconnect from >>> s15434454.onlinehome-server.com[74.208.72.135] >>> >>> In my jail.local, I have: >>> [default] >>> findtime=1200 >>> >>> [postfix-sasl] >>> enabled = true >>> port = smtp,465,submission,imap3,imaps,pop3,pop3s >>> logpath = %(postfix_log)s >>> action = %(action_mwl)s >>> bantime = 10800 >>> maxretry = 3 >>> >>> Since this attack happens once an hour from a single IP. It just >>> try one time then stopped. It try again in the next hour. So the >>> result is it does not get banned! It just put a entry in the >>> fial2ban.log with FOUND. >>> >>> I did a test yesterday and set the maxretry=1 and I see lots IP >>> get banned. But this is too much and may also affect out normal >>> user. Ideally I would like to set maxretry=5. >>> >>> How can I deal with this kind of attack? Please help. Thanks. >>> >>> Gao >> >>> >> > ------------------------------------------------------------------------------ >>> Monitor Your Dynamic Infrastructure at Any Scale With Datadog! >>> Get real-time metrics from all of your servers, apps and tools >>> in one place. >>> SourceForge users - Click here to start your Free Trial of Datadog >>> now! >>> http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140 >>> [1] >>> _______________________________________________ Fail2ban-users >>> mailing list [email protected] >>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users [2] >> >> > ------------------------------------------------------------------------------ >> Monitor Your Dynamic Infrastructure at Any Scale With Datadog! >> Get real-time metrics from all of your servers, apps and tools >> in one place. >> SourceForge users - Click here to start your Free Trial of Datadog >> now! >> http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140 [1] >> >> _______________________________________________ >> Fail2ban-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users [2] > > > > Links: > ------ > [1] > http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140 > [2] https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > ------------------------------------------------------------------------------ > Monitor Your Dynamic Infrastructure at Any Scale With Datadog! > Get real-time metrics from all of your servers, apps and tools > in one place. > SourceForge users - Click here to start your Free Trial of Datadog now! > http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140 > > _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users ------------------------------------------------------------------------------ _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
