Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
02-06-2012, 09:51 PM
|
#1
|
Member
Registered: Sep 2003
Posts: 239
Rep:
|
postfix, how to reject sender IP address after N times attempting
Dear All,
I saw someone trying to attack my postfix server by trying to enter random password, how to automatic reject sender IP address after N times attempting?
any help appreciated..
thanks & regards
Winanjaya
|
|
|
02-06-2012, 11:11 PM
|
#2
|
Member
Registered: May 2009
Location: Fort Langley BC
Distribution: Kubuntu,Free BSD,OSX,Windows
Posts: 342
Rep:
|
fail2ban has a great postfix filter:
http://www.fail2ban.org/wiki/index.php/Main_Page
You can automatically ban an IP for as long as you like. Works great.
|
|
|
02-07-2012, 12:17 AM
|
#3
|
Member
Registered: Sep 2003
Posts: 239
Original Poster
Rep:
|
yes, I tried it but no luck :->( .. what I missed?
and I also have restarted fail2ban
in /etc/fail2ban/jail.conf .. I have the following:
[postfix-tcpwrapper]
enabled = true
filter = postfix
action = hostsdeny[file=/var/log/postfix_hosts.deny]
sendmail[name=Postfix, dest=it-department@lippoinsurance.com]
logpath = /var/log/postfix.log
bantime = 300
[sasl-iptables]
enabled = true
filter = sasl
backend = polling
action = iptables[name=sasl, port=smtp, protocol=tcp]
sendmail-whois[name=sasl, dest=it-department@lippoinsurance.com]
logpath = /var/log/mail.log
and in /etc/fail2ban/filter.d/postfix.conf
failregex = reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1
reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1
reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1
ignoreregex =
and in /etc/fail2ban/filter.d/sasl.conf
failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
ignoreregex =
|
|
|
02-07-2012, 01:06 AM
|
#4
|
Member
Registered: May 2009
Location: Fort Langley BC
Distribution: Kubuntu,Free BSD,OSX,Windows
Posts: 342
Rep:
|
I am using Postfix/Dovecot/ with Postgrey and Fail2ban on Ubuntu server 10
My authentication logs for Dovecot are in /var/log/auth.log
You might look thru your logs and see where the nuisance attempts are logged and match fail2ban-postfix to that location.
Also, you may want to create a jail.local rather than using jail.conf so it doesn't get overwritten by an update.
Keep me posted ( pun  )
|
|
|
02-07-2012, 01:19 AM
|
#5
|
Member
Registered: Sep 2011
Posts: 130
Rep: 
|
I seem to recall limiting login attempts for SASL with Postfix was a PITA. Nefarious users and brute forcers were able to just keep on hammering away at it. I did ask on the Postfix users list if there was a sensible way to limit attempts and got the usual "Where in the RFC's does it say there should be a limit" type abuse and useless answer from Wietse Venema and co (one of the reasons we use Exim is the author, Phil Hazel, and his users support list is just much better)
Take a look at these config directives/options. They may[stress MAY, not WILL] be helpful to you - but I can't promise. I seem to recall the fix we put in place was to kick a user after three errors in the SMTP session, and limit the number of connections someone could make with a simple IP Tables rule (something like but not tested word for word):
Quote:
iptables -A INPUT -p tcp --dport 25 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 -j DROP
iptables -A INPUT -p tcp --dport 25 -m state --state NEW -m recent --set
|
However, I'm not sure it caught SASL logins - it's a bit of a distant memory now.
Quote:
smtpd_error_sleep_time = 5s
smtpd_soft_error_limit = 5
smtpd_hard_error_limit = 5
|
Also look into these options
Quote:
smtpd_client_event_limit_exceptions
smtpd_client_connection_count_limit
anvil_rate_time_unit
client_connection_rate_time_unit
smtpd_client_connection_rate_limit
smtpd_client_event_limit_exceptions
|
The manual may help: http://www.postfix.org/postconf.5.ht...ft_error_limit
Last edited by leslie_jones; 02-07-2012 at 01:21 AM.
|
|
|
02-07-2012, 01:23 AM
|
#6
|
Member
Registered: Sep 2003
Posts: 239
Original Poster
Rep:
|
in my /var/log/maillog goes below:
Feb 7 14:27:35 smtp postfix/smtpd[11421]: warning: unknown[112.215.45.219]: SASL LOGIN authentication failed: authentication failure
Feb 7 14:27:35 smtp postfix/smtpd[11421]: > unknown[112.215.45.219]: 535 5.7.0 Error: authentication failed: authentication failure
F
and in my jail.local
[spam]
enabled = true
filter = spam
#action = iptables[name=SPAM, port=smtp, protocol=tcp]
action = sendmail-whois[name=SPAM, dest=it-department@mydomain.com, sender=fail2ban@mydomain.com]
logpath = /var/log/maillog
bantime = 3600
ignoreip = 127.0.0.1
maxretry = 3
and my ../filter.d/spam is as follow:
failregex = reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1
reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1
reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1
reject: RCPT from (.*)\[<HOST>\]: 535.5.7.0
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
any idea?
thanks
|
|
|
02-07-2012, 01:38 AM
|
#7
|
Member
Registered: May 2009
Location: Fort Langley BC
Distribution: Kubuntu,Free BSD,OSX,Windows
Posts: 342
Rep:
|
Does your setup use pam ? if so, enable pam-generic. From my last authentication ban :
"The IP 117.41.181.131 has just been banned by Fail2Ban after
3 attempts against pam-generic."
yada yada then :
"Lines containing IP:117.41.181.131 in /var/log/auth.log
Jan 17 18:54:31 myhost dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=webmaster rhost=117.41.181.131
Jan 17 18:54:36 myhost dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=webmaster rhost=117.41.181.131
Jan 17 18:54:41 myhost dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=webmaster rhost=117.41.181.131"
So, on my setup, it is pam that is doing the authentication.
Ciao !
|
|
|
02-07-2012, 01:51 AM
|
#8
|
Member
Registered: Sep 2003
Posts: 239
Original Poster
Rep:
|
does my jail.local and spam.conf correct?
|
|
|
02-07-2012, 02:08 AM
|
#9
|
Member
Registered: May 2009
Location: Fort Langley BC
Distribution: Kubuntu,Free BSD,OSX,Windows
Posts: 342
Rep:
|
Your configs look okay for spam, but aren't you trying to block unauthorized logins ? as opposed to spam ?
What authentication method are you using ? Pam , saslauthd ?
|
|
|
02-07-2012, 02:31 AM
|
#10
|
Member
Registered: Sep 2003
Posts: 239
Original Poster
Rep:
|
hi.. it works
but it does not send me notification email??
cat /var/log/fail2ban.log
2012-02-07 15:21:42,789 fail2ban.actions: WARNING [spam] Ban 202.148.17.2
2012-02-07 15:23:32,573 fail2ban.actions: WARNING [spam] 202.148.17.2 already banned
2012-02-07 15:24:21,571 fail2ban.actions: WARNING [spam] 202.148.17.2 already banned
2012-02-07 15:25:16,566 fail2ban.actions: WARNING [spam] Ban 180.254.63.203
2012-02-07 15:25:37,549 fail2ban.actions: WARNING [spam] Ban 110.137.165.194
2012-02-07 15:25:43,739 fail2ban.actions: WARNING [spam] 110.137.165.194 already banned
2012-02-07 15:25:46,740 fail2ban.actions: WARNING [spam] 110.137.165.194 already banned
2012-02-07 15:26:22,735 fail2ban.actions: WARNING [spam] 110.137.165.194 already banned
2012-02-07 15:26:24,735 fail2ban.actions: WARNING [spam] 110.137.165.194 already banned
2012-02-07 15:26:27,735 fail2ban.actions: WARNING [spam] 110.137.165.194 already banned
2012-02-07 15:26:31,735 fail2ban.actions: WARNING [spam] 110.137.165.194 already banned
2012-02-07 15:26:34,736 fail2ban.actions: WARNING [spam] 110.137.165.194 already banned
2012-02-07 15:26:36,736 fail2ban.actions: WARNING [spam] 110.137.165.194 already banned
2012-02-07 15:27:50,730 fail2ban.actions: WARNING [spam] Ban 180.251.173.143
2012-02-07 15:29:30,974 fail2ban.actions: WARNING [spam] 180.251.173.143 already banned
2012-02-07 15:30:24,969 fail2ban.actions: WARNING [spam] Unban 172.16.1.88
2012-02-07 15:30:24,969 fail2ban.actions: WARNING [spam] Unban 202.148.17.2
2012-02-07 15:30:24,970 fail2ban.actions: WARNING [spam] Unban 180.254.63.203
2012-02-07 15:30:24,970 fail2ban.actions: WARNING [spam] Unban 110.137.165.194
2012-02-07 15:30:24,970 fail2ban.actions: WARNING [spam] Unban 180.251.173.143
|
|
|
02-07-2012, 05:21 AM
|
#11
|
Senior Member
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125
|
I have never received a notification email from fail2ban. Off hand, I am not even sure if it supports this option. It seems to me like you would get A LOT, and I do mean A LOT of noisy email this way. While at first it may be satisfying to see the results, it will get old fast. Instead I would recommend using a program like Logwatch which will give you a daily summary of your log files. There is even a Logwatch like program for Postfix which will scan your email logs and provide you with a summary of the traffic, including bounces, rejects, etc. The one I use is called Pflogsum.pl
|
|
1 members found this post helpful.
|
02-07-2012, 12:04 PM
|
#12
|
Member
Registered: Oct 2003
Location: Arkansas, NWA
Distribution: Fedora/CentOS/SL6
Posts: 381
Rep:
|
Can you share/post some snippets from you fail2ban configuration?
I am setting up a new Drupal server and thinking it would be a good idea.
|
|
|
02-07-2012, 06:57 PM
|
#13
|
Member
Registered: Sep 2003
Posts: 239
Original Poster
Rep:
|
Agreed, I decided not to use email notification since it would be an internal spammer for IT Department :->)
to. rhBegin,
herewith is mine:
I leave default for fail2ban.conf
I copy jail.conf to jail.local
vi /etc/jail.local
[sasl]
enabled = true
filter = sasl
action = iptables-sasl[name=sasl, port 8025, protocol=tcp]
logpath = /var/log/maillog
bantime=3600
ignoreip = 127.0.0.1 172.16.0.1/24
maxretry = 3
|
|
|
All times are GMT -5. The time now is 01:09 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|