Nikolai Lusan wrote: >I am noticing an increasing number of botnet spam attempts on my mail >servers (all of which have clubringer installed, configured and in use). >Now while some of them go away for a while after getting the greylisting >notice, some don't, or others in the botnet pick up the "slack". > >I am also using fail2ban to protect other parts of my server >infrastructure, and I was wondering if anyone had come up with a >fial2ban config to protect against these type of botnet attacks.
Can't help with a fail2ban config - though thinking about it, it would be useful ... In a clustered setup like it sounds you have, then there are techniques for merging the results from the cluster. I haven't picked on yet, but searching around the net, there seems to be a number of techniques people are using. One runs fail2ban on each server, and has an action which sends information to the gateway router - variations include using SSH and HTTP POST. Once the information is there, then some act directly on it (using local scripts to ban/unban), others use fail2ban and simply watch the incoming data. Thus the gateway router can drop traffic to all the cluster. You can run fail2ban on each server, or I reckon if you can send your mail logs to a central point (syslog will do this for you), then you can run fail2ban against the combined logs - hence detect something that only has one or two goes against each machine. One thing you will need to watch though is that you could easily create false positives. It's not uncommon to see a legitimate server try several times during the initial greylisting period - IIRC I observed Exchange trying every minute for the first few minutes. Thus if you don't set fairly generous allowances, it would be easy to detect and drop these. _______________________________________________ Users mailing list [email protected] http://lists.policyd.org/mailman/listinfo/users_lists.policyd.org
