Matus UHLAR - fantomas writes:
> I'm afraid it won't even help much - seems that dictionary attacks work much
> slower.
Not all of them are slow:
Nov 5 06:19:35 mail postfix/smtpd[28906]: warning: AUTH command rate limit
exceeded: 4 from unknown[106.58.210.27] for service smtp
Nov 5
On 2019-11-04 03:32, Bernardo Reino wrote:
> You can create a custom action like:
> $ cat /etc/fail2ban/action.d/local_action.conf
> [Definition]
> actionban = /usr/local/sbin/fail2ban_action.sh add
> actionunban = /usr/local/sbin/fail2ban_action.sh delete
> actioncheck =
> actionstart =
>
John Schmerold:
What is the best way to protect against dictionary attacks in Postfix?
Wietse Venema:
Reportedly, fail2ban (no first-hand experience, because I have no
SASL clients).
On 03 Nov 2019, at 06:06, Wietse Venema wrote:
Also, Postfix can rate-limit auth commands
On Sun, 3 Nov 2019, Phil Stracchino wrote:
On 2019-11-03 14:21, Bernardo Reino wrote:
On Sun, 3 Nov 2019, Phil Stracchino wrote:
I've been thinking about setting up exactly such a thing myself. Trying
to figure out how to make fail2ban talk to a Shorewall firewall on a
different box is just
2ban also)
> The only disadvantage is SSHGuard isn't in my repo. You have to build it.
>
> That said, I just use it for ssh. I use Anvil settings in postfix to slow
> down the occasional skid. Less is more. The desired email gets through. I
> don't see much in the way of dictiona
On 2019-11-03 14:21, Bernardo Reino wrote:
> On Sun, 3 Nov 2019, Phil Stracchino wrote:
>> I've been thinking about setting up exactly such a thing myself. Trying
>> to figure out how to make fail2ban talk to a Shorewall firewall on a
>> different box is just too much of a pain for such a
On Sun, 3 Nov 2019, John Schmerold wrote:
On 11/2/2019 9:42 PM, Wietse Venema wrote:
John Schmerold:
What is the best way to protect against dictionary attacks in Postfix?
Reportedly, fail2ban (no first-hand experience, because I have no
SASL clients).
Wietse
I am using Postfix
On Sun, 3 Nov 2019, Phil Stracchino wrote:
On 2019-11-03 05:24, Allen Coates wrote:
On 03/11/2019 02:42, Wietse Venema wrote:
John Schmerold:
What is the best way to protect against dictionary attacks in Postfix?
Reportedly, fail2ban (no first-hand experience, because I have no
SASL
> On Nov 3, 2019, at 12:04 PM, Phil Stracchino wrote:
>
> On 2019-11-03 05:24, Allen Coates wrote:
>>
>>
>> On 03/11/2019 02:42, Wietse Venema wrote:
>>> John Schmerold:
>>>> What is the best way to protect against dictionary attacks in Postf
. The desired email gets through. I don't see
much in the way of dictionary attacks on my postfix.
Original Message
From: ph...@caerllewys.net
Sent: November 3, 2019 9:04 AM
To: postfix-users@postfix.org
Subject: Re: Dictionary attacks
On 2019-11-03 05:24, Allen Coates wrote
On 2019-11-03 05:24, Allen Coates wrote:
>
>
> On 03/11/2019 02:42, Wietse Venema wrote:
>> John Schmerold:
>>> What is the best way to protect against dictionary attacks in Postfix?
>>
>> Reportedly, fail2ban (no first-hand experience, because I have no
On 11/2/2019 9:42 PM, Wietse Venema wrote:
John Schmerold:
What is the best way to protect against dictionary attacks in Postfix?
Reportedly, fail2ban (no first-hand experience, because I have no
SASL clients).
Wietse
I am using Postfix as a filter in front of O365/cpanel/Google
On 03 Nov 2019, at 06:06, Wietse Venema wrote:
> Wietse Venema:
>> John Schmerold:
>>> What is the best way to protect against dictionary attacks in Postfix?
>>
>> Reportedly, fail2ban (no first-hand experience, because I have no
>> SASL clients).
>
>
Wietse Venema:
> John Schmerold:
> > What is the best way to protect against dictionary attacks in Postfix?
>
> Reportedly, fail2ban (no first-hand experience, because I have no
> SASL clients).
Also, Postfix can rate-limit auth commands, on the assumption that
good use
On 03/11/2019 02:42, Wietse Venema wrote:
> John Schmerold:
>> What is the best way to protect against dictionary attacks in Postfix?
>
> Reportedly, fail2ban (no first-hand experience, because I have no
> SASL clients).
>
> Wietse
>
I run a home-brewed
John Schmerold:
> What is the best way to protect against dictionary attacks in Postfix?
Reportedly, fail2ban (no first-hand experience, because I have no
SASL clients).
Wietse
What is the best way to protect against dictionary attacks in Postfix?
Exim has a rcpt_fail_count variable I use to drop connections with the
attacker:
drop condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}
log_message = Dictionary Attack Rejected (Began blocking af
Thanks, Viktor, for clarifying all this. Very helpful :-)
Forrest
On 6/12/15 12:31 PM, Viktor Dukhovni wrote:
On Fri, Jun 12, 2015 at 12:07:15PM -0400, Forrest wrote:
My server advertises (EHLO):
250-PIPELINING
250-SIZE [ omitted ]
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250
On 6/12/15 11:50 AM, Viktor Dukhovni wrote:
On Fri, Jun 12, 2015 at 11:05:42AM -0400, Forrest wrote:
My prior config was Sendmail 8 with Cyrus SASL which did not. My guess
from this log is that AUTH is taking place unencrypted, which may be the
cause?
Surely dictionary attacks on SASL were
On Fri, Jun 12, 2015 at 12:07:15PM -0400, Forrest wrote:
My server advertises (EHLO):
250-PIPELINING
250-SIZE [ omitted ]
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250 8BITMIME
No SASL AUTH there.
Hm. Interesting, thanks for pointing that obvious thing out :) I have the
Since upgrading to Postfix, my system is seeing a lot of this
activity. My prior config was Sendmail 8 with Cyrus SASL which did
not. My guess from this log is that AUTH is taking place unencrypted,
which may be the cause?
My server advertises (EHLO):
250-PIPELINING
250-SIZE [ omitted ]
On Fri, Jun 12, 2015 at 11:05:42AM -0400, Forrest wrote:
My prior config was Sendmail 8 with Cyrus SASL which did not. My guess
from this log is that AUTH is taking place unencrypted, which may be the
cause?
Surely dictionary attacks on SASL were also launched against
Sendmail
On 12 Jun 2015, at 11:05, Forrest wrote:
Since upgrading to Postfix, my system is seeing a lot of this
activity. My prior config was Sendmail 8 with Cyrus SASL which did
not.
This is a pure coincidence. I administer multiple mail servers running
Postfix. CommunigatePro, and Sendmail, and
Am 10.06.2015 um 00:19 schrieb Scott Lambert:
I've been looking for, but haven't found, yet, a postfix option that
would delay x seconds after a failed auth attempt. We still use
fail2ban, but the botnets are just too large.
This can be set within Dovecot when using Dovecot for SASL
I recently updated my system from Sendmail to Postfix 3.0.1. Since that
time, I've been targeted with several SASL dictionary attacks; activity
I've not seen in this number before.
Reading around elsewhere, I wonder if the script kiddies are looking for
Postfix in the banner (which I've
On Tue, Jun 09, 2015 at 12:54:51PM -0400, Forrest wrote:
I recently updated my system from Sendmail to Postfix 3.0.1. Since that
time, I've been targeted with several SASL dictionary attacks; activity I've
not seen in this number before.
Restricting SASL to TLS might help...
http
On Tue, Jun 09, 2015 at 01:23:47PM -0400, Forrest wrote:
postfix/smtpd[12345]: warning: unknown[212.156.86.90]: SASL LOGIN
authentication failed: authentication failure
so I presume that's port 25, as I have submission running as another
configuration in master.cf.
By default the logs
On 6/9/15 1:02 PM, Viktor Dukhovni wrote:
On Tue, Jun 09, 2015 at 12:54:51PM -0400, Forrest wrote:
I recently updated my system from Sendmail to Postfix 3.0.1. Since that
time, I've been targeted with several SASL dictionary attacks; activity I've
not seen in this number before.
Restricting
On 6/9/15 1:38 PM, Viktor Dukhovni wrote:
On Tue, Jun 09, 2015 at 01:23:47PM -0400, Forrest wrote:
postfix/smtpd[12345]: warning: unknown[212.156.86.90]: SASL LOGIN
authentication failed: authentication failure
so I presume that's port 25, as I have submission running as another
configuration
On Tue, Jun 09, 2015 at 02:26:20PM -0400, Forrest wrote:
So that log entry might be for the submission port, unless you've
configured it along the lines above.
I believe this is already set in my master.cf, which is:
smtp inet n - n - - smtpd
On Tue, Jun 09, 2015 at 07:23:43PM +, Viktor Dukhovni wrote:
On Tue, Jun 09, 2015 at 02:26:20PM -0400, Forrest wrote:
So that log entry might be for the submission port, unless you've
configured it along the lines above.
I believe this is already set in my master.cf, which is:
On 6/9/15 6:19 PM, Scott Lambert wrote:
On Tue, Jun 09, 2015 at 07:23:43PM +, Viktor Dukhovni wrote:
On Tue, Jun 09, 2015 at 02:26:20PM -0400, Forrest wrote:
So that log entry might be for the submission port, unless you've
configured it along the lines above.
I believe this is already
Now they're hitting me here:
Jun 9 23:49:13 mail postfix/smtpd[17263]: connect from unknown[71.19.249.5]
Jun 9 23:49:13 mail postfix/smtpd[17263]: lost connection after AUTH
from unknown[71.19.249.5]
Jun 9 23:49:13 mail postfix/smtpd[17263]: disconnect from
unknown[71.19.249.5] ehlo=1
33 matches
Mail list logo
