On 24/05/2024 03:03, John Hill via Postfix-users wrote:
I learn something every time I read this group, when I can keep up
with the conversation!
I had auth on ports I did not need. I use auth on submission port 587,
for users access.
I do get a boat load of failed login attempts on 587. Funny how a
China, US, Argentina, you name it, hosts, will try the same failed
username password at nearly the same time.
Small world.
I use Fail2Ban to block the failed IP. The script writes it into the
nftables table immediately.
I think this keeps Postfix waiting and times out, not a big deal. Is
there a cli that my bash script could force disconnect the ip from
Postfix?
I did search the man page and the docs, sorry if I missed it.
Thanks
--john
Hi John
maybe controversial for use on the submission service, but a while back
I started using spamhaus xbl (the exploits data only, not the PBL or
spammer data) as the first check (reject_rbl_client) in
smtpd_client_restrictions for the submission service (on which I have
AUTH enabled only after STARTTLS). I saw two results
1. there are few illegitimate smtp auth attempts that aren't blocked by
XBL and end up trying the credentials
2. even the blocked traffic has fallen off to a small number of tries
per day (usually < 20).
Point 2 tends to indicate that the hacker scripts only start hammering
when they find an AUTH command enabled.
Fail2ban can still be used for the ips that get through, since then they
start hammering, but the cases are so limited I haven't bothered.
John
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
