LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-06-2012, 10:51 PM   #1
Winanjaya
Member
 
Registered: Sep 2003
Posts: 209

Rep: Reputation: 32
postfix, how to reject sender IP address after N times attempting


Dear All,

I saw someone trying to attack my postfix server by trying to enter random password, how to automatic reject sender IP address after N times attempting?

any help appreciated..

thanks & regards
Winanjaya
 
Old 02-07-2012, 12:11 AM   #2
ceyx
Member
 
Registered: May 2009
Location: Fort Langley BC
Distribution: Kubuntu,Free BSD,OSX,Windows
Posts: 342

Rep: Reputation: 58
fail2ban has a great postfix filter:

http://www.fail2ban.org/wiki/index.php/Main_Page

You can automatically ban an IP for as long as you like. Works great.
 
Old 02-07-2012, 01:17 AM   #3
Winanjaya
Member
 
Registered: Sep 2003
Posts: 209

Original Poster
Rep: Reputation: 32
yes, I tried it but no luck :->( .. what I missed?
and I also have restarted fail2ban

in /etc/fail2ban/jail.conf .. I have the following:

[postfix-tcpwrapper]

enabled = true
filter = postfix
action = hostsdeny[file=/var/log/postfix_hosts.deny]
sendmail[name=Postfix, dest=it-department@lippoinsurance.com]
logpath = /var/log/postfix.log
bantime = 300

[sasl-iptables]

enabled = true
filter = sasl
backend = polling
action = iptables[name=sasl, port=smtp, protocol=tcp]
sendmail-whois[name=sasl, dest=it-department@lippoinsurance.com]
logpath = /var/log/mail.log

and in /etc/fail2ban/filter.d/postfix.conf

failregex = reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1
reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1
reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1

ignoreregex =

and in /etc/fail2ban/filter.d/sasl.conf

failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
ignoreregex =
 
Old 02-07-2012, 02:06 AM   #4
ceyx
Member
 
Registered: May 2009
Location: Fort Langley BC
Distribution: Kubuntu,Free BSD,OSX,Windows
Posts: 342

Rep: Reputation: 58
I am using Postfix/Dovecot/ with Postgrey and Fail2ban on Ubuntu server 10

My authentication logs for Dovecot are in /var/log/auth.log

You might look thru your logs and see where the nuisance attempts are logged and match fail2ban-postfix to that location.

Also, you may want to create a jail.local rather than using jail.conf so it doesn't get overwritten by an update.

Keep me posted ( pun )
 
Old 02-07-2012, 02:19 AM   #5
leslie_jones
Member
 
Registered: Sep 2011
Posts: 130

Rep: Reputation: Disabled
I seem to recall limiting login attempts for SASL with Postfix was a PITA. Nefarious users and brute forcers were able to just keep on hammering away at it. I did ask on the Postfix users list if there was a sensible way to limit attempts and got the usual "Where in the RFC's does it say there should be a limit" type abuse and useless answer from Wietse Venema and co (one of the reasons we use Exim is the author, Phil Hazel, and his users support list is just much better)


Take a look at these config directives/options. They may[stress MAY, not WILL] be helpful to you - but I can't promise. I seem to recall the fix we put in place was to kick a user after three errors in the SMTP session, and limit the number of connections someone could make with a simple IP Tables rule (something like but not tested word for word):
Quote:
iptables -A INPUT -p tcp --dport 25 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 -j DROP
iptables -A INPUT -p tcp --dport 25 -m state --state NEW -m recent --set
However, I'm not sure it caught SASL logins - it's a bit of a distant memory now.

Quote:
smtpd_error_sleep_time = 5s
smtpd_soft_error_limit = 5
smtpd_hard_error_limit = 5
Also look into these options
Quote:
smtpd_client_event_limit_exceptions
smtpd_client_connection_count_limit
anvil_rate_time_unit
client_connection_rate_time_unit
smtpd_client_connection_rate_limit
smtpd_client_event_limit_exceptions
The manual may help: http://www.postfix.org/postconf.5.ht...ft_error_limit

Last edited by leslie_jones; 02-07-2012 at 02:21 AM.
 
Old 02-07-2012, 02:23 AM   #6
Winanjaya
Member
 
Registered: Sep 2003
Posts: 209

Original Poster
Rep: Reputation: 32
in my /var/log/maillog goes below:

Feb 7 14:27:35 smtp postfix/smtpd[11421]: warning: unknown[112.215.45.219]: SASL LOGIN authentication failed: authentication failure
Feb 7 14:27:35 smtp postfix/smtpd[11421]: > unknown[112.215.45.219]: 535 5.7.0 Error: authentication failed: authentication failure
F

and in my jail.local

[spam]
enabled = true
filter = spam
#action = iptables[name=SPAM, port=smtp, protocol=tcp]
action = sendmail-whois[name=SPAM, dest=it-department@mydomain.com, sender=fail2ban@mydomain.com]
logpath = /var/log/maillog
bantime = 3600
ignoreip = 127.0.0.1
maxretry = 3

and my ../filter.d/spam is as follow:

failregex = reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1
reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1
reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1
reject: RCPT from (.*)\[<HOST>\]: 535.5.7.0

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT


any idea?

thanks
 
Old 02-07-2012, 02:38 AM   #7
ceyx
Member
 
Registered: May 2009
Location: Fort Langley BC
Distribution: Kubuntu,Free BSD,OSX,Windows
Posts: 342

Rep: Reputation: 58
Does your setup use pam ? if so, enable pam-generic. From my last authentication ban :

"The IP 117.41.181.131 has just been banned by Fail2Ban after
3 attempts against pam-generic."

yada yada then :

"Lines containing IP:117.41.181.131 in /var/log/auth.log

Jan 17 18:54:31 myhost dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=webmaster rhost=117.41.181.131
Jan 17 18:54:36 myhost dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=webmaster rhost=117.41.181.131
Jan 17 18:54:41 myhost dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=webmaster rhost=117.41.181.131"

So, on my setup, it is pam that is doing the authentication.

Ciao !
 
Old 02-07-2012, 02:51 AM   #8
Winanjaya
Member
 
Registered: Sep 2003
Posts: 209

Original Poster
Rep: Reputation: 32
does my jail.local and spam.conf correct?
 
Old 02-07-2012, 03:08 AM   #9
ceyx
Member
 
Registered: May 2009
Location: Fort Langley BC
Distribution: Kubuntu,Free BSD,OSX,Windows
Posts: 342

Rep: Reputation: 58
Your configs look okay for spam, but aren't you trying to block unauthorized logins ? as opposed to spam ?

What authentication method are you using ? Pam , saslauthd ?
 
Old 02-07-2012, 03:31 AM   #10
Winanjaya
Member
 
Registered: Sep 2003
Posts: 209

Original Poster
Rep: Reputation: 32
hi.. it works
but it does not send me notification email??


cat /var/log/fail2ban.log

2012-02-07 15:21:42,789 fail2ban.actions: WARNING [spam] Ban 202.148.17.2
2012-02-07 15:23:32,573 fail2ban.actions: WARNING [spam] 202.148.17.2 already banned
2012-02-07 15:24:21,571 fail2ban.actions: WARNING [spam] 202.148.17.2 already banned
2012-02-07 15:25:16,566 fail2ban.actions: WARNING [spam] Ban 180.254.63.203
2012-02-07 15:25:37,549 fail2ban.actions: WARNING [spam] Ban 110.137.165.194
2012-02-07 15:25:43,739 fail2ban.actions: WARNING [spam] 110.137.165.194 already banned
2012-02-07 15:25:46,740 fail2ban.actions: WARNING [spam] 110.137.165.194 already banned
2012-02-07 15:26:22,735 fail2ban.actions: WARNING [spam] 110.137.165.194 already banned
2012-02-07 15:26:24,735 fail2ban.actions: WARNING [spam] 110.137.165.194 already banned
2012-02-07 15:26:27,735 fail2ban.actions: WARNING [spam] 110.137.165.194 already banned
2012-02-07 15:26:31,735 fail2ban.actions: WARNING [spam] 110.137.165.194 already banned
2012-02-07 15:26:34,736 fail2ban.actions: WARNING [spam] 110.137.165.194 already banned
2012-02-07 15:26:36,736 fail2ban.actions: WARNING [spam] 110.137.165.194 already banned
2012-02-07 15:27:50,730 fail2ban.actions: WARNING [spam] Ban 180.251.173.143
2012-02-07 15:29:30,974 fail2ban.actions: WARNING [spam] 180.251.173.143 already banned
2012-02-07 15:30:24,969 fail2ban.actions: WARNING [spam] Unban 172.16.1.88
2012-02-07 15:30:24,969 fail2ban.actions: WARNING [spam] Unban 202.148.17.2
2012-02-07 15:30:24,970 fail2ban.actions: WARNING [spam] Unban 180.254.63.203
2012-02-07 15:30:24,970 fail2ban.actions: WARNING [spam] Unban 110.137.165.194
2012-02-07 15:30:24,970 fail2ban.actions: WARNING [spam] Unban 180.251.173.143
 
Old 02-07-2012, 06:21 AM   #11
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 779Reputation: 779Reputation: 779Reputation: 779Reputation: 779Reputation: 779Reputation: 779
I have never received a notification email from fail2ban. Off hand, I am not even sure if it supports this option. It seems to me like you would get A LOT, and I do mean A LOT of noisy email this way. While at first it may be satisfying to see the results, it will get old fast. Instead I would recommend using a program like Logwatch which will give you a daily summary of your log files. There is even a Logwatch like program for Postfix which will scan your email logs and provide you with a summary of the traffic, including bounces, rejects, etc. The one I use is called Pflogsum.pl
 
1 members found this post helpful.
Old 02-07-2012, 01:04 PM   #12
rhbegin
Member
 
Registered: Oct 2003
Location: Arkansas, NWA
Distribution: Fedora/CentOS/SL6
Posts: 381

Rep: Reputation: 23
Can you share/post some snippets from you fail2ban configuration?

I am setting up a new Drupal server and thinking it would be a good idea.
 
Old 02-07-2012, 07:57 PM   #13
Winanjaya
Member
 
Registered: Sep 2003
Posts: 209

Original Poster
Rep: Reputation: 32
Agreed, I decided not to use email notification since it would be an internal spammer for IT Department :->)

to. rhBegin,

herewith is mine:

I leave default for fail2ban.conf

I copy jail.conf to jail.local

vi /etc/jail.local

[sasl]
enabled = true
filter = sasl
action = iptables-sasl[name=sasl, port 8025, protocol=tcp]
logpath = /var/log/maillog
bantime=3600
ignoreip = 127.0.0.1 172.16.0.1/24
maxretry = 3
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Rewrite sender address in postfix williebens Linux - Server 27 11-07-2014 06:29 AM
[SOLVED] [Postfix] Sender address rejected: Domain not found WojtekO Linux - Networking 5 05-19-2011 11:40 AM
Postfix: Is it possible to rewrite sender address only for selective recipient? Akhran Linux - Software 3 08-15-2006 11:48 AM
Postfix - Sender address includes localhost buskmann Linux - Software 1 05-04-2005 08:56 AM
Verifying sender's address in Postfix sagif Linux - Networking 0 03-02-2004 03:17 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:34 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration