[Fail2ban-users] Fwd: Use Fail2ban to protect Postfix/Dovecot on CentOS 7

Tue, 30 Mar 2021 08:45:24 -0700 


I use this as an enhancement to f2b:

https://github.com/dpsystems/login-shield



It contains a number of blacklists and blocks login ports from areas 
of known issues.  The IP that attacked your system was by default in 
the blacklist.



If you're in France you'll want to check some of the areas and either 
blacklist or whitelist appropriately, but this script has cut down my 
attacks by 99%





Hi,

My main mail server is running CentOS 7 with Postfix and Dovecot.

Last week I was surprised to see that Postfix had some troubles on this
machine, according to Icinga. I took a peek at the logs:

# journalctl -p err
Mar 28 04:37:02 sd-151768 postfix/smtpd[2786]: fatal: no SASL authentication
mechanisms
Mar 28 04:37:02 sd-151768 postfix/smtpd[2788]: fatal: no SASL authentication
mechanisms
Mar 28 04:37:02 sd-151768 postfix/smtpd[2790]: fatal: no SASL authentication
mechanisms
Mar 28 04:37:02 sd-151768 postfix/smtpd[2792]: fatal: no SASL authentication
mechanisms
Mar 28 04:37:02 sd-151768 postfix/smtpd[2794]: fatal: no SASL authentication
mechanisms
...

And in /var/log/maillog I found a tsunami of these:

Mar 28 03:18:33 sd-151768 postfix/smtpd[29589]: warning:
unknown[45.227.253.115]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

Mar 28 03:18:33 sd-151768 postfix/smtpd[29589]: lost connection 
after AUTH from

unknown[45.227.253.115]
Mar 28 03:18:33 sd-151768 postfix/smtpd[29589]: disconnect from
unknown[45.227.253.115]

My first reaction was to manually ban the IP addresses / networks which caused
the flood, using my firewall:

# firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source
address='45.227.253.0/24' reject"
# firewall-cmd --reload


I'm already using fail2ban in conjunction with firewalld to prevent 
brute force

SSH attacks.

Can I use it in a similar configuration to stop Postfix from getting flooded
and brought down to its knees?

Thanks & cheers from the sunny South of France,

Niki




_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users






















					Reply via email to