[SOLVED] How to reject ftp users from sending mail

pete83 · 07-11-2013, 03:44 AM

Hello there,

Is there a way to reject ProFTP users from sending mail through sendmail? All ftp users have /bin/ftponly set as their shell and are all in seperate groups. There are thousands of ftp users on the server. There are also thousands of mail users which have /bin/mailonly set as their shell and are also in seperate groups.

Can users with a certain shell being blocked within the sendmail configuration? Or is it an option to use iptables for this?

pete83 · 07-11-2013, 07:11 AM

I know with iptables it is possible to accept outgoing smtp traffic for a certain gid or uid:

Code:

iptables -A OUTPUT -d 127.0.0.1 -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 25 -m owner --gid-owner mail -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 25 -m owner --gid-owner mailman -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 25 -m owner --uid-owner root -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable

The thing is as I mentioned in my previous post that there a thousands of ftp users on the server, all in their own group. The only thing that unites the ftp users is their shell /bin/ftponly.

Can someone please point me to an other solution? I've been searching if this can be done using the sendmail configuration. Yes I can reject users from sending by adding a REJECT rule in /etc/mail/access. But this is not what I want with thousands of users.

Noway2 · 07-13-2013, 06:59 AM

Are you really running Sendmail or are you running another application like Postfix that provides a Sendmail compatible front end? I ask because this affects how you approach the problem and using a more advanced SMTP application, like Postfix, may give you more flexibility.

It looks like you need to add some form of authentication and adjust your relay access parameters. Often times the default is that any mail that originates on the system will be accepted and this seems to be the problem with your FTP users. This document may have some benefit for you: http://www.sendmail.org/~ca/email/auth.html#authrelay In particular, look for the "TRUST_AUTH_MECH(`list of mechanisms')" sections as there may be a way to adjust who is allowed to send mail. My suspicion is that you will need to use a white list approach and allow certain "groups" while denying everything else and this may require some tweaking to get right.

pete83 · 07-15-2013, 09:58 AM

Thank you for your reply. Yes we're using just sendmail. But the plan has changed because some users are using their ftp credentials on their websites in php forms to send mail. So blocking all the ftp user accounts from sending mail will cause problems.

The plan now is to check and log on users who autheticate against SMTP with their ftp credentials using the iptables -m string module. On several occurances they will be blocked by ip address by the fail2ban mechanism.

If only I could use regex with the iptables string module.....

Noway2 · 07-15-2013, 10:03 AM

Quote:

If only I could use regex with the iptables string module.....

You may want to consider using Postfix, which does provide Sendmail compatibility for use with PHP forms and what not. Postfix supports regex hashes and you could simply add a permit list containing your regex strings.

See: http://www.postfix.org/postconf.5.ht..._sender_access

jsaravana87 · 07-16-2013, 08:23 AM

You can configure vsftpd with virtual user .So you can block the FTP user from sending mail

http://www.cyberciti.biz/tips/centos...ual-users.html

pete83 · 07-16-2013, 09:42 AM

Thank you both for your tips. But the servers I'm talking about are all in production and there are a significant amount of those servers. So I can't switch from sendmail to postfix and from proftpd to vsftpd without a lot of work

I maybe have found another solution for my challenge, I'm going to log the FTP spammers as follows:

Code:

iptables -A incoming -p tcp -m string ! --string "relay=localhost" --algo bm -m string --string "authid=" --algo bm -m string --string "$HOSTNAME" --algo bm -m geoip ! --src-cc NL,BE,DE,US,CA -j LOG --log-prefix "SPAM FTP-USER:  " --log-level info

Explanation:

Code:

! --string "relay=localhost"     # inverse match on relaying against localhost beacuse PHP forms mail like this.
--string "authid="               # match on authid
--string "$HOSTNAME"             # match on hostname server because FTP spammers are authenticating authid=ftpuser@$HOSTNAME 
geoip ! --src-cc NL,BE,DE,US,CA  # if matching ip is not from one of these countries

And now fail2ban will check on occurrences of SPAM FTP-USER: in log and will block ip. That's the theory

pete83 · 07-17-2013, 03:46 AM

The theory does not work in practice

. Of course the tcp packets don't contain the strings defined in the iptables rule.

For now I've made an fail2ban filter which checks on:

Code:

failregex = relay=(.*)\[<HOST>\], authid=..*@..*
ignoreregex = ..*relay=[localhost]..*

This matches to mail.log entries like this:

Code:

AUTH=server, relay=spammer.net [xx.xx.xx.xx], authid=ftpuser@hostingserver, mech=CRAM-MD5, bits=0

The entry above is the way ftpusers authenticate to send mail. The normal mail users authenticate without @hostingserver in our setup. relay[localhost] is ignored because of some users who use a PHP-form on their website to send mail.

pete83 · 07-19-2013, 03:23 AM

The above seems to reduce the spam by ftp users. So solved!