Loading ...
Sorry, an error occurred while loading the content.

Time based blacklist or similar?

Expand Messages
  • Chad M Stewart
    Before I go and write my own solution I thought I d see if anyone knows of an existing solution. Now and again I d like to put an IP on a local blacklist and
    Message 1 of 7 , Apr 3, 2013
    • 0 Attachment
      Before I go and write my own solution I thought I'd see if anyone knows of an existing solution.

      Now and again I'd like to put an IP on a local blacklist and have an expiration time set as well. I'm using postscreen as well and ideally the blacklist will get implemented via postscreen.

      Anyone know of an existing tool that integrates with postfix that would let me do what I want? I'm open to storing the IP and TTL values in plain text, MySQL, rbldnsd, etc..


      Thank you,
      Chad
    • Matthew Hall
      How about a DNS daemon to be used as a blacklist, which is backed by a SQL DB instead of by zone files? Such as PowerDNS with a SQL backend. Then add and
      Message 2 of 7 , Apr 3, 2013
      • 0 Attachment

        How about a DNS daemon to be used as a blacklist, which is backed by a SQL DB instead of by zone files? Such as PowerDNS with a SQL backend. Then add and remove BL entries based on the times you have in mind.

      • Wietse Venema
        ... Blacklist expiration is not built into Postfix. If you want to use this with postscreen there are two options: - Store the blacklist in DNS. - Store the
        Message 3 of 7 , Apr 3, 2013
        • 0 Attachment
          Chad M Stewart:
          >
          > Before I go and write my own solution I thought I'd see if anyone
          > knows of an existing solution.
          >
          > Now and again I'd like to put an IP on a local blacklist and have
          > an expiration time set as well. I'm using postscreen as well and
          > ideally the blacklist will get implemented via postscreen.
          >
          > Anyone know of an existing tool that integrates with postfix that
          > would let me do what I want? I'm open to storing the IP and TTL
          > values in plain text, MySQL, rbldnsd, etc..

          Blacklist expiration is not built into Postfix.

          If you want to use this with postscreen there are two options:

          - Store the blacklist in DNS.

          - Store the blacklist in an LMDB database. LMDB is safe for concurrent
          reads and writes. Add/remove entries with a cron job, perhaps using
          "postmap -i" to add one more more entries, or "postmap -d" to delete
          an entry.

          - Storage in MySQL etc. is too slow. postscreen requires latencies
          well under a millisecond.

          Currently, LMDB has an open problem with rebuilding a large database
          from scratch (as with "postmap"). This explicit upper limit is
          expected to be lifted in the near future (and it won't be replaced
          with a lame upper limit that involves using up all system memory).

          Wietse
        • DTNX Postmaster
          ... We use a home brewed solution that exports IP addresses from a MySQL database, younger than X days, to a text file in rbldnsd compatible format. This is
          Message 4 of 7 , Apr 3, 2013
          • 0 Attachment
            On Apr 3, 2013, at 16:10, Chad M Stewart <cms@...> wrote:

            > Before I go and write my own solution I thought I'd see if anyone knows of an existing solution.
            >
            > Now and again I'd like to put an IP on a local blacklist and have an expiration time set as well. I'm using postscreen as well and ideally the blacklist will get implemented via postscreen.
            >
            > Anyone know of an existing tool that integrates with postfix that would let me do what I want? I'm open to storing the IP and TTL values in plain text, MySQL, rbldnsd, etc..

            We use a home brewed solution that exports IP addresses from a MySQL
            database, younger than X days, to a text file in rbldnsd compatible
            format. This is then rsynced over to the primary relay server, which
            has a local rbldnsd based blacklist, used by postscreen and Postfix.

            The new data is automatically picked up by rbldnsd after a few minutes,
            and is live from there on out. Postfix and postscreen don't need to be
            reloaded this way.

            Should be easy enough to implement in whatever programming language you
            favour, along with a bit of bash magic to drive the cronjob, rsync
            commands and such.

            HTH,
            Jona
          • Patrick
            fail2ban (http://www.fail2ban.org/wiki/index.php/Main_Page) works perfectly for this. You set up some filters that are essentially just regular expressions,
            Message 5 of 7 , Apr 3, 2013
            • 0 Attachment
              fail2ban (http://www.fail2ban.org/wiki/index.php/Main_Page) works
              perfectly for this. You set up some filters that are essentially just
              regular expressions, and then you define a "jail" which applies your
              filter to a log file and triggers a predefined action.

              We have two filters watching our Postfix log: one looks for repeated
              SASL login failures, and the other looks for too many 554 errors
              within a short period of time which we issue for invalid recipients.

              For manual bans as you mentioned, I wrote a simple script called banip
              which just writes a simple line to a log a file that meets fail2ban's
              requirements:

              https://gist.github.com/pgib/5302582

              And then my fail2ban filter has:

              https://gist.github.com/pgib/5302594

              And the jail is configured like this:

              [manual-ban]
              enabled = true
              filter = manual-ban
              action = ipfw
              logpath = /var/log/manual-ban.log
              findtime = 2
              maxretry = 1
              bantime = 86400

              It works like a charm and requested IPs are banned within seconds of
              my request, automatically expiring after the "bantime" passes.

              Patrick


              On Wed, Apr 3, 2013 at 7:10 AM, Chad M Stewart <cms@...> wrote:
              >
              > Before I go and write my own solution I thought I'd see if anyone knows of an existing solution.
              >
              > Now and again I'd like to put an IP on a local blacklist and have an expiration time set as well. I'm using postscreen as well and ideally the blacklist will get implemented via postscreen.
              >
              > Anyone know of an existing tool that integrates with postfix that would let me do what I want? I'm open to storing the IP and TTL values in plain text, MySQL, rbldnsd, etc..
              >
              >
              > Thank you,
              > Chad
              >
              >
            • Robert Schetterer
              ... not exact what your looking for , but i ve done some iptables recent solution feeding from rsyslog pipe with postscreen spamhaus filter against big botnet
              Message 6 of 7 , Apr 3, 2013
              • 0 Attachment
                Am 03.04.2013 16:10, schrieb Chad M Stewart:
                >
                > Before I go and write my own solution I thought I'd see if anyone knows of an existing solution.
                >
                > Now and again I'd like to put an IP on a local blacklist and have an expiration time set as well. I'm using postscreen as well and ideally the blacklist will get implemented via postscreen.
                >
                > Anyone know of an existing tool that integrates with postfix that would let me do what I want? I'm open to storing the IP and TTL values in plain text, MySQL, rbldnsd, etc..
                >
                >
                > Thank you,
                > Chad
                >
                >

                not exact what your looking for , but i ve done some iptables recent
                solution feeding from rsyslog pipe with postscreen spamhaus filter
                against big botnet logins, much faster then fail2ban

                however ,with iptables recent you can do firewalling ips, experation auto

                to get in idea what i mean look

                http://sys4.de/de/blog/2012/12/28/botnets-mit-rsyslog-und-iptables-recent-modul-abwehren/

                and/or

                http://blog.schaal-24.de/?p=1626

                sorry only german

                http://www.stearns.org/doc/adaptive-firewalls.v0.1.html




                Best Regards
                MfG Robert Schetterer

                --
                [*] sys4 AG

                http://sys4.de, +49 (89) 30 90 46 64
                Franziskanerstraße 15, 81669 München

                Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
                Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
                Aufsichtsratsvorsitzender: Joerg Heidrich
              • Benny Pedersen
                ... what problem will it solve to get the spam later ?, to me it looks like you can get it done with any greylist server, and there set greylist time to 24
                Message 7 of 7 , Apr 3, 2013
                • 0 Attachment
                  Chad M Stewart skrev den 2013-04-03 16:10:

                  > Anyone know of an existing tool that integrates with postfix that
                  > would let me do what I want? I'm open to storing the IP and TTL
                  > values in plain text, MySQL, rbldnsd, etc..

                  what problem will it solve to get the spam later ?, to me it looks like
                  you can get it done with any greylist server, and there set greylist
                  time to 24 hour or so ? :)

                  greylistning helps urls to get listed before one get them for scanning,
                  is that what you like to solve ?
                Your message has been successfully submitted and would be delivered to recipients shortly.