Re: postscreen vs. fail2ban
Hi Wietse, One benefit of using fail2ban (for me) is a definitely cleaner mail log for these cases. Regards, Istvan On 12.3.2015 2:30, Wietse Venema wrote: Michael Fox: I haven't implemented postscreen yet, but plan to. So this question is for the postscreen experts here. As I understand it from the documentation, postscreen protects postfix from having to deal with most attack vectors, including higher volume attacks. So, does it make sense to also use something like fail2ban to block IPs that postscreen (or postfix) logs repeatedly as offenders? Or is postscreen sufficient to protect posfix? I would not bother, except in extreme cases where the same IP address makes thousands and thousands of connections. Wietse
RE: postscreen vs. fail2ban
Sebastian, Wietse, Noel: thanks for your responses re Postscreen vs. Fail2ban. Michael
Re: postscreen vs. fail2ban
On 3/11/2015 7:43 PM, Michael Fox wrote: I haven’t implemented postscreen yet, but plan to. So this question is for the postscreen experts here. As I understand it from the documentation, postscreen protects postfix from having to deal with most attack vectors, including higher volume attacks. So, does it make sense to also use something like fail2ban to block IPs that postscreen (or postfix) logs repeatedly as offenders? Or is postscreen sufficient to protect posfix? The goal of postscreen is to reject zombies while using very few system resources. Postscreen can reject thousands of connections per minute without a significant drain on server performance, even on a modest hardware. Also, zombies don't generally hammer away at a server; they make a (relatively) few connections, and then move on to the next victim. It's probably not worth the trouble to firewall them. That's been my experience, your mileage may vary. On the other hand, fail2ban may be useful for detecting SASL dictionary attacks. It's not unreasonable to block an IP for a period of time after XX failed AUTH attempts. Anyway, feel free to experiment if you want. I don't think it will help much, but it probably won't break anything. -- Noel Jones
Re: postscreen vs. fail2ban
Michael Fox: I haven't implemented postscreen yet, but plan to. So this question is for the postscreen experts here. As I understand it from the documentation, postscreen protects postfix from having to deal with most attack vectors, including higher volume attacks. So, does it make sense to also use something like fail2ban to block IPs that postscreen (or postfix) logs repeatedly as offenders? Or is postscreen sufficient to protect posfix? I would not bother, except in extreme cases where the same IP address makes thousands and thousands of connections. Wietse
