Loading ...
Sorry, an error occurred while loading the content.

denyhosts-like postfix brute force block?

Expand Messages
  • Cameron Camp
    I ve been happily using denyhosts for ssh brute force attacks, 1. What are best practices for the same functionality for Postfix 2. Are there gotcha s for
    Message 1 of 3 , Mar 3, 2009
    • 0 Attachment
      I've been happily using denyhosts for ssh brute force attacks,

      1. What are best practices for the same functionality for Postfix
      2. Are there "gotcha's" for trying to use denyhosts/fail2ban for this
      3. Should I use something else?

      I'd like to stop attacks at the iptable/tcpwrapper level before it eats
      up postfix resources. Sorry if that has already been asked.

      Best,
      Cam
    • Bill Landry
      ... I use fail2ban with this: failregex = reject: RCPT from (.*) [ ]: (550|554).*(Recipient address rejected: User unknown|Relay access denied) watch for
      Message 2 of 3 , Mar 3, 2009
      • 0 Attachment
        Cameron Camp wrote:
        > I've been happily using denyhosts for ssh brute force attacks,
        >
        > 1. What are best practices for the same functionality for Postfix
        > 2. Are there "gotcha's" for trying to use denyhosts/fail2ban for this
        > 3. Should I use something else?
        >
        > I'd like to stop attacks at the iptable/tcpwrapper level before it eats
        > up postfix resources. Sorry if that has already been asked.
        >
        > Best,
        > Cam

        I use fail2ban with this:

        failregex = reject: RCPT from (.*)\[<HOST>\]: (550|554).*(Recipient
        address rejected: User unknown|Relay access denied)

        watch for wrapping, as this is all on one line in the
        /etc/fail2ban/filter.d/postfix.conf

        I have it set in /etc/fail2ban/jail.conf to block the source IP address
        for 1 hour after 5 associated maillog entries, and it's been working
        fine here for quite some time.

        Bill
      • Terry Carmen
        ... It works great! I ve been using it for a while to catch dictionary attacks and relay attempts. I have this in /etc/fail2ban/filter.d: failregex = reject:
        Message 3 of 3 , Mar 3, 2009
        • 0 Attachment
          Cameron Camp wrote:
          > I've been happily using denyhosts for ssh brute force attacks,
          >
          > 1. What are best practices for the same functionality for Postfix
          > 2. Are there "gotcha's" for trying to use denyhosts/fail2ban for this
          > 3. Should I use something else?
          >
          > I'd like to stop attacks at the iptable/tcpwrapper level before it eats
          > up postfix resources. Sorry if that has already been asked.
          >
          > Best,
          > Cam
          >
          It works great! I've been using it for a while to catch dictionary
          attacks and relay attempts.

          I have this in /etc/fail2ban/filter.d:

          failregex = reject: RCPT from (.*)\[<HOST>\]: 5

          ----------------------------------------------

          and this in /etc/fail2ban/jail.conf:
          [postfix]
          enabled = true
          filter = postfix
          action = iptables-allports[name=postfix]
          sendmail-whois[name=postfix, dest=root@...,
          sender=smtp@...]
          logpath = /var/log/maillog
          maxretry = 6


          Depending on how fast your email addresses change, 6 might be too low,
          so you'll probably need to adjust it.

          ----------------------------------------------

          which catches log entries like this:

          Mar 2 19:24:40 wormhole postfix/smtpd[23869]: NOQUEUE: reject: RCPT
          from unknown[122.110.167.253]: 554 5.7.1 <mkfy@headwa
          ters.com>: Relay access denied; from=<cwallace@...>
          to=<mkfy@...> proto=SMTP helo=<122.110.167.253.
          optusnet.com.au>



          Terry
        Your message has been successfully submitted and would be delivered to recipients shortly.