On 17/07/17 16:43, Scott Techlist wrote:
> As I watch the bots and spammers hammer my server with connection attempts,
> I figured I might as well stop them even closer to the front door when they
> try repeatedly.
>
> I have fail2ban running already and once I enabled postscreen it didn't seem
> to have much to do anymore.
>
> My primary question is: Can I filter on the DISCONNECT log line for bad
> connections (and only bad connections), or do some "good" connections also
> log a DISCONNECT. Like this:
>
> Jul 17 10:08:27 tn3 postfix/postscreen[19184]: DISCONNECT
> [110.175.112.118]:63862
>
> My server isn't "live" yet and my logs are just from bots and spammers
> already knocking at the door. So I don't have a lot of "good" connections
> to look at. I couldn't figure out if a "good" connection that went through
> after 220 tests, or any other pass, also got a DISCONNECT entry. I fit
> does, I can't use it.
>
> I've only found a couple of other's fail2ban filters related to postscreen
> logs:
>
> One from:
> https://github.com/jannickfahlbusch/fail2ban-rulez/blob/master/MailServer/Po
> stFix/postfix-dnsblog.conf
>
> That one picks up on the "listed by domain" string but because I may have
> multiple "hits" per connection due to multiple dnsbls, it throws off my
> banning thresholds. Not a huge deal, but not the count I want. This
> connection counted 4 "fails"
>
> Jul 17 10:01:40 tn3 postfix/postscreen[19136]: CONNECT from
> [105.174.2.98]:11607 to [45.63.111.83]:25
> Jul 17 10:01:40 tn3 postfix/dnsblog[19138]: addr 105.174.2.98 listed by
> domain b.barracudacentral.org as 127.0.0.2
> Jul 17 10:01:40 tn3 postfix/dnsblog[19142]: addr 105.174.2.98 listed by
> domain zen.spamhaus.org as 127.0.0.11
> Jul 17 10:01:40 tn3 postfix/dnsblog[19142]: addr 105.174.2.98 listed by
> domain zen.spamhaus.org as 127.0.0.4
> Jul 17 10:01:40 tn3 postfix/dnsblog[19143]: addr 105.174.2.98 listed by
> domain dnsbl.sorbs.net as 127.0.0.7
> Jul 17 10:01:46 tn3 postfix/postscreen[19136]: DNSBL rank 6 for
> [105.174.2.98]:11607
> Jul 17 10:01:48 tn3 postfix/postscreen[19136]: DISCONNECT
> [105.174.2.98]:11607
>
> >From searching this list I saw this filter:
> https://translate.google.com/translate?sl=auto&tl=en&js=y&prev=_t&hl=en&ie=U
> TF-8&u=https%3A%2F%2Fkupschke.net%2F2013%2F04%2F20%2Ffail2ban-und-postscreen
> %2F&edit-text=&act=url
>
> That one is picking up on 5xx reject codes like this one. I don't' have
> many like this (yet):
>
> Jul 17 07:58:28 tn3 postfix/postscreen[8899]: CONNECT from
> [66.231.40.205]:64187 to [45.63.111.83]:25
> Jul 17 07:58:28 tn3 postfix/dnsblog[8904]: addr 66.231.40.205 listed by
> domain zen.spamhaus.org as 127.0.0.4
> Jul 17 07:58:34 tn3 postfix/postscreen[8899]: DNSBL rank 3 for
> [66.231.40.205]:64187
> Jul 17 07:58:35 tn3 postfix/postscreen[8899]: NOQUEUE: reject: RCPT from
> [66.231.40.205]:64187: 550 5.7.1 Service unavailable; client [66.231.40.205]
> blocked using zen.spamhaus.org;
> from=<36jr3j36jr36jr3.3625327...@superuser.com>,
> to=<cookie.nick2...@outlook.com>, proto=ESMTP, helo=<[192.168.1.5]>
> Jul 17 07:58:35 tn3 postfix/postscreen[8899]: DISCONNECT
> [66.231.40.205]:64187
>
> Anyone have any good postscreen fail2ban filters?
>
> Mine for now is:
> failregex = ^%(__prefix_line)saddr <HOST> listed by domain .* as .*$
> reject: RCPT from (.*)\[<HOST>\]:([0-9]{4,5}:)? 550
My homespun iptables blocker works in two stages:
The log is swept over the last day or so, and -
a) Multiple transgressions puts the offender into a local blacklist.
b) Multiple blacklist refusals and they are added to an iptables DROP list.
and they stay there until they stop trying to connect ...
It is overkill for my (domestic) server, but it keeps my hand in for
writing scripts.
(And I hate spam!!)
FYI Below is today's attrition report:
Nuisance hosts currently blocked by firewall: 91
Still active: 24
POSTSCREEN ATTRITION REPORT FOR Today so far
Connections handled by Postscreen: 189
White-listed: 11
Black-listed Locally: 23
Black-listed by DNSBL: 75
Early hang-ups: 9
Pre-Greets: 3
Command pipelining: 0
Non-SMTP commands: 0
Multi-connect refusals: 2
Grey-list Deferrals: 1
Refusal Ratio: 93 percent
Connections passed on to mail server: 12
Early disconnects: 0
Authorisation Probes: 0
Client Host Refused: 0
Bad HELO Command: 0
Bad Sender address: 0
Illegal Relay Attempts: 0
Invalid Recipients: 0
messages placed into Postfix queue: 12
Sent to Dovecot: 12
Outbound messages: 0
Actual messages received in mailbox: 12
Regards
Allen C
>
>
