LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 04-18-2010, 01:58 PM   #16
noden
LQ Newbie
 
Registered: Aug 2009
Location: Denmark
Distribution: Debian
Posts: 29

Rep: Reputation: 18

I think they are already in your queue for outbound mail. But there could already be thousinds. So maybe no more are comming in but as your mail server is unable to deliver those that are already there it might try to resend them. If memory serves me right there should be some delay before next delivery attempt.
Spam is a neverending story so you might want to look at block/blacklists.

What is your "mynetworks_style=" set to in main.cf?
And your "mynetworks="?
Maybe you are allowing mail relay. That is a sure way to have your mailserver be used for sending smap mail.

As far as I remember SA should work out of the box but always need some finetuning and stuff to do. Open relay, keyword filters, blacklists etc.
Sorry I dont run SA or Postfix atm.
 
Old 04-18-2010, 02:04 PM   #17
moimel
Member
 
Registered: May 2009
Posts: 30

Original Poster
Rep: Reputation: 15
Code:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = finsbess.com
myhostname = web.finsbess.co.il
mynetworks = 212.120.126.0/24, 127.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
relay_domains = regexp:/etc/postfix/relay_domains
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_delay_reject = no
smtpd_peername_lookup = no
unknown_local_recipient_reject_code = 550
virtual_alias_maps = mysql:$config_directory/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:89
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains = mysql:$config_directory/mysql_virtual_domains_maps.cf
virtual_mailbox_maps = mysql:$config_directory/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 89
virtual_uid_maps = static:89
it's ok thanks for the help,
ok, postsuper -d ALL , done postsuper: Deleted: 93010 messages this is alot of messages (:

I don't know man it seems like spamd is fighting them, I don't know who's winning 20%wa , 10%wa omg 7%wa damn 20%wa I think we are going to loose!

well it seems to be bit better. will try to send mail..

how I can improve SpamA?

Last edited by moimel; 04-18-2010 at 02:13 PM.
 
Old 04-18-2010, 02:16 PM   #18
noden
LQ Newbie
 
Registered: Aug 2009
Location: Denmark
Distribution: Debian
Posts: 29

Rep: Reputation: 18
It looks like you allow your outside ip address to send mail to remote destinations.
mynetworks = 212.120.126.0/24, 127.0.0.0/8
Only local users should be allowed to send emails to the world. Emails coming to you should only be to you and not relayed to remote destinations.
I think you need to set mynetworks to your local addresses.

If you set mynetworks_style to "host" postfix will permit only ipadresses on the host it runs on to send messages to remote locations.
If you set it to "class" it will allow only for the network class (local ip range) it is in. 10.0.0.0/8, 172.16.0.0/16 or 192.168.0.0/24 or what ever ip class you are in.
If you set it to subnet only the hosts in the same subnet as postfix will be allowed to relay to remote destinations.

Or you could set mynetworks=127.0.0.0/8, 10.0.0.0/24, 192.168.1.10/32 #localhost, the whole 10 subnet or only host 192.168.1.10
Or what ever your subnet is.

Hope it works.
 
1 members found this post helpful.
Old 04-18-2010, 02:22 PM   #19
noden
LQ Newbie
 
Registered: Aug 2009
Location: Denmark
Distribution: Debian
Posts: 29

Rep: Reputation: 18
And you might want to set:
smtpd_recipient_restrictions=permit_mynetworks, reject_unauth_destination

As far as I remember.
 
Old 04-18-2010, 02:34 PM   #20
moimel
Member
 
Registered: May 2009
Posts: 30

Original Poster
Rep: Reputation: 15
I dont know I tried all of it...it keeps coming I hate them
 
Old 04-18-2010, 02:35 PM   #21
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,067
Blog Entries: 11

Rep: Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910
You restarted postfix after those config changes, right?
 
Old 04-18-2010, 02:56 PM   #22
moimel
Member
 
Registered: May 2009
Posts: 30

Original Poster
Rep: Reputation: 15
Maybe I post this at the Newbie section but im not that noob - -
I did restarted.

I think i'll use check_sender_access hash:$config_directory/sender_client to identify my clients...it's the only thing blocking them. it seems to be the only manner to block them completely.
or maybe block all those clients. thanks anyway

Last edited by moimel; 04-18-2010 at 02:58 PM.
 
Old 04-18-2010, 03:11 PM   #23
moimel
Member
 
Registered: May 2009
Posts: 30

Original Poster
Rep: Reputation: 15
i'm open to better solutions, I think the approach of using SpamA is useless because what's happenning in the /vsr/spool/postfix directory is chaos, new file opened and deleted each second...so the SA deletes the spam, so what? it still takes all the queue and loads the heck of the server!

need some kind of firewall blocking...iptables or something but I don't understand why it isn't blocking them?

theoretically, if i'll extract all the hosts bombarding the server from the log, and:
Code:
for x in `cat hosts`
do
        iptables -A INPUT -p tcp -s $x --dport 25 -j DROP
done
and leave it to work every 10 minutes, after the night it should block them all, not?
please fix me if i'm wrong.

Last edited by moimel; 04-18-2010 at 03:42 PM.
 
Old 04-18-2010, 06:01 PM   #24
moimel
Member
 
Registered: May 2009
Posts: 30

Original Poster
Rep: Reputation: 15
OK somthing very very weird is happening please help me,

after giving about 10,000 bans in iptables it seems to do somthing: now in the logs :
I see that every bot login from localhost
Apr 19 01:00:01 game3 postfix/smtpd[9399]: connect from localhost.localdomain[127.0.0.1]

EVERY ONE!

what is it means?!
 
Old 04-18-2010, 06:54 PM   #25
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,361
Blog Entries: 55

Rep: Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547
Adding to what noden already suggested (smtpd_recipient_restrictions) http://www.postfix.org/SMTPD_ACCESS_README.html more or less suggests the following lines. Do check if these are OK for your Postfix version then add them to main.cf and restart:
Code:
smtpd_helo_required = yes
disable_vrfy_command = yes
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, reject_unknown_hostname, reject_unknown_helo_hostname, reject_non_fqdn_hostname
smtpd_client_restrictions = permit_mynetworks, reject
smtpd_sender_restrictions = reject_unknown_sender_domain
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_end_of_data_restrictions = check_policy_service unix:private/policy
OTOH would it be a good idea to just shut your MTA down until you've got a fix on things? How about setting "mynetworks = 127.0.0.1" and "inet_interfaces = lo"? That way your MTA won't be exposed (OK, unless there's something fishy running locally). And manually adding IP addresses will only consume RAM since there's no way of knowing if and when a specific IP address will return: instead try something like fail2ban. IIGC it has a configuration for Postfix. Just thinking out loud...
 
Old 04-19-2010, 06:48 AM   #26
moimel
Member
 
Registered: May 2009
Posts: 30

Original Poster
Rep: Reputation: 15
unSpawn those directive are negligible in contrast to what I put in my main.cf:

Code:
smtpd_client_restrictions = reject_rbl_client cbl.abuseat.org,
                            reject_rbl_client sbl.spamhaus.org,
                            reject_rbl_client zen.spamhaus.org,
                            permit
smtpd_peername_lookup = no
smtpd_helo_restrictions = permit_sasl_authenticated,
        permit_mynetworks,
        reject_non_fqdn_hostname,
        reject_invalid_hostname,
        permit
smtpd_sender_restrictions = reject_non_fqdn_sender,
        reject_unknown_sender_domain
smtpd_helo_required = yes
unknown_local_recipient_reject_code = 550
disable_vrfy_command = yes
smtpd_data_restrictions = reject_unauth_pipelining
strict_rfc821_envelopes = yes
smtpd_recipient_restrictions = permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_destination,
        reject_invalid_hostname,
        reject_unauth_pipelining,
        reject_non_fqdn_sender,
        reject_unknown_sender_domain,
        reject_non_fqdn_recipient,
        reject_unknown_recipient_domain,
        check_client_access hash:$config_directory/access_client,
        check_sender_access hash:$config_directory/access_sender,
        permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_local_domain = fingbes.co.il
smtpd_delay_reject = yes
Nevertheless, nothing is working this attack is unStoppable! anyway settings inet_interface to localhost stops it (: so I guess it's not from the inside or somthing like this but still it's fucking weird I blocked all of them and they still can connect .
 
Old 04-19-2010, 07:18 AM   #27
moimel
Member
 
Registered: May 2009
Posts: 30

Original Poster
Rep: Reputation: 15
Well, it seem to be fading now it's standing on 5%wa~ and less and less attacks are coming in,

Maybe is the combination of SpamAssassin and the following codes I runed during the night, i'll explain for the next generations:

Create log.php file in /root/ and it's content
Code:
<?php
        function validate_ip($ip_addr)
        {
                        if(preg_match("/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/",$ip_addr))
                        {
                                        $parts=explode(".",$ip_addr);
                                        foreach($parts as $ip_parts)
                                        {
                                                        if(intval($ip_parts)>255 || intval($ip_parts)<0)
                                                                        return false;
                                        }
                                        return true;
                        }
                        else
                                        return false;
        }
        $lines = file('/var/log/maillog');
        $fp = fopen('/root/hosts', 'w');
        foreach ($lines as $line_num => $line) {
                        $host = substr($line, (strrpos($line, '[')+1), strrpos($line, ']')-(strrpos($line, '[')+1));
                        if (strpos($host, '--YOUR SUBNET--') === false && strpos($host, '127.0.0.1') === false && validate_ip($host) == true)
                                fwrite($fp, $host." ");
        }
        fclose($fp);
        $fp = fopen('/var/log/maillog', 'w');
        ftruncate($fp, 0);
        fclose($fp);
?>
then create bash file called 'kill' (in /root/) or whatever put inside:
Code:
for x in `cat hosts`
do
        iptables -A INPUT -p tcp -s $x --dport 25 -j DROP
done

rm -rf /root/hosts
create file 'ddos' in /root/ :
Code:
php -q log.php
./kill
echo "Done in `date`" >> /root/ddos.log
Enter the following:
# echo "*/10 0-23 1-31 1-12 0-7 root ./ddos" >> /etc/crontab
# crontab /etc/crontab

Remember to : service iptables save . on restart.

Optionally another one but unproven one (I don't know if it actually did somthing):

Code:
<?php
        $lines = file('/root/tcp25.log');
        $fp = fopen('/root/tcp25hosts', 'w');
        foreach ($lines as $line_num => $line) {
                        $exp = explode(' ', $line);
                        $h1 = $exp[2];
                        $h2 = $exp[4];
                        if (strpos($h1, 'yourhost.tld'))
                                $host = $h2;
                        else
                                $host = $h1;
                        $host = substr($host, 0, strrpos($host, '.'));
                        if (strpos($host, '--YOUR SUBNET--') === false && strpos($host, 'yourhost.tld') === false && strpos($host, '127.0.0.1') === false)
                                fwrite($fp, $host." ");
        }
        fclose($fp);
        $fp = fopen('/root/tcp25.log', 'w');
        ftruncate($fp, 0);
        fclose($fp);
?>
Run
# tcpdump -i eth0 'tcp port 25' >> /root/tcp25.log

Enter the following:
# echo "*/10 0-23 1-31 1-12 0-7 root ./tcp25" >> /etc/crontab
# crontab /etc/crontab


create tcp25 bash file:
Code:
php -q tcp25log.php
./tcp25kill
echo "Done in `date`" >> /root/tcp25kill.log
and kill file (tcp25kill):
Code:
for x in `cat tcp25hosts`
do
        iptables -A INPUT -p tcp -s $x --dport 25 -j DROP
        iptables -A OUTPUT -p tcp -s $x --dport 25 -j DROP
done

rm -rf /root/tcp25hosts
GO TO sleep and hope that in the morning they'll be dead.

Last edited by moimel; 04-19-2010 at 07:21 AM.
 
Old 04-19-2010, 02:23 PM   #28
noden
LQ Newbie
 
Registered: Aug 2009
Location: Denmark
Distribution: Debian
Posts: 29

Rep: Reputation: 18
Did you try with the "postsuper" command? To empty your mail queue?
 
Old 04-20-2010, 03:32 PM   #29
moimel
Member
 
Registered: May 2009
Posts: 30

Original Poster
Rep: Reputation: 15
Smtp port blocked, yet packets delivered in and out

Hey I'm using iptables to block smtp port like this:
Code:
[root@ ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       tcp  --  anywhere             anywhere            tcp dpt:smtp

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DROP       tcp  --  anywhere             anywhere            tcp dpt:smtp
with this commands:
iptables -A INPUT -p tcp --dport 25 --sport 25 -j DROP


yet when monitoring traffic:
Code:
[root@game3 ~]# tcpdump -n tcp port 25
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
22:23:32.339792 IP 121.35.170.181.can-ferret > MY-IP.smtp: S 3636350420:3636350420(0) win 65535 <mss 1440,nop,nop,sackOK>
22:23:32.638640 IP 121.34.200.183.slush > MY-IP.smtp: S 2084693075:2084693075(0) win 65535 <mss 1440,nop,nop,sackOK>
22:23:33.256984 IP 121.35.168.87.vpntpp > MY-IP.smtp: S 3096707673:3096707673(0) win 65535 <mss 1440,nop,nop,sackOK>
22:23:34.430466 IP 121.34.200.189.a16-an-an > MY-IP.smtp: S 2972377123:2972377123(0) win 65535 <mss 1440,nop,nop,sackOK>

4 packets captured
30 packets received by filter
0 packets dropped by kernel
I can see a lot of packets inside and outside in port 25.

However, when checking netstat I CAN'T see even one connection on smtp port!

How come?

p.s. I cannot access with telnet to port 25. (from my own pc)

Thanks

Last edited by moimel; 04-20-2010 at 04:06 PM.
 
Old 04-20-2010, 06:29 PM   #30
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,361
Blog Entries: 55

Rep: Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547
Moved: This thread is more suitable in the Linux Newbie forum and has been moved accordingly to help your thread/question get the exposure it deserves and awaiting merge with related threads http://www.linuxquestions.org/questi...-mails-801847/ and http://www.linuxquestions.org/questi...nd-out-803113/.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Flooded Logs (LDAP Error)? carlosinfl Red Hat 1 12-28-2007 06:55 AM
Excessive Shorewall Logs - Help! mac57 Mandriva 8 07-11-2005 07:36 PM
Excessive Shorewall Logs - Solved mac57 Mandriva 4 02-12-2005 01:34 PM
My logs are being flooded from pings from my router(i think)!!! rmanocha Linux - Networking 8 03-11-2004 02:42 PM
snort logs get flooded iceman47 Linux - Security 2 06-04-2003 05:36 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 04:34 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration