postfix, how to reject sender IP address after N times attempting
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
postfix, how to reject sender IP address after N times attempting
Dear All,
I saw someone trying to attack my postfix server by trying to enter random password, how to automatic reject sender IP address after N times attempting?
I seem to recall limiting login attempts for SASL with Postfix was a PITA. Nefarious users and brute forcers were able to just keep on hammering away at it. I did ask on the Postfix users list if there was a sensible way to limit attempts and got the usual "Where in the RFC's does it say there should be a limit" type abuse and useless answer from Wietse Venema and co (one of the reasons we use Exim is the author, Phil Hazel, and his users support list is just much better)
Take a look at these config directives/options. They may[stress MAY, not WILL] be helpful to you - but I can't promise. I seem to recall the fix we put in place was to kick a user after three errors in the SMTP session, and limit the number of connections someone could make with a simple IP Tables rule (something like but not tested word for word):
Quote:
iptables -A INPUT -p tcp --dport 25 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 -j DROP
iptables -A INPUT -p tcp --dport 25 -m state --state NEW -m recent --set
However, I'm not sure it caught SASL logins - it's a bit of a distant memory now.
I have never received a notification email from fail2ban. Off hand, I am not even sure if it supports this option. It seems to me like you would get A LOT, and I do mean A LOT of noisy email this way. While at first it may be satisfying to see the results, it will get old fast. Instead I would recommend using a program like Logwatch which will give you a daily summary of your log files. There is even a Logwatch like program for Postfix which will scan your email logs and provide you with a summary of the traffic, including bounces, rejects, etc. The one I use is called Pflogsum.pl
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.