Loading ...
Sorry, an error occurred while loading the content.

Blacklist IP with a reject message

Expand Messages
  • Abhijeet Rastogi
    Hi all, Straight to the point, I ban IPs using fail2ban based on 4 jails. The reasons vary from bruteforce sasl login attacks from specific IPs to number of
    Message 1 of 4 , Jun 25, 2013
    • 0 Attachment
      Hi all,

      Straight to the point, I ban IPs using fail2ban based on 4 jails. The reasons vary from bruteforce sasl login attacks from specific IPs to number of attempts to send suspect/confirmed spam mails. Right now, there is a iptables rule that starts dropping packets for a IP. This is highly undesirable as if sometimes this IP is a NAT server's IP for a org, there are cases where SMTP packets from all clients of that org get dropped and they have no clue what so ever.

      For now, I want to start rejecting connects with a REJECT message that can be different for different IPs. One way I could do is using "access" file and adding IPs to it. Unfortunately, it will work for a single server but not for a cluster of outbound servers.

      Questions:
      1. If I use "access" file to block IPs, it's a challenge to keep all servers data in sync. Also, it'll require me to run postmap each and every time file changes, does that effect postfic performance in any way?
      2. I thought the option of writing milter using python where I could keep one Redis instance as master & rest outbound servers will have a slave Redis server. Each time a connect happens, I'll check the IP against my local Redis instance and act accordingly. I think it's a overkill. What do you guys think?
      3. I could also write a policy server. Is there already a policy server that's as simple as blocking IPs based on a ACL. But then, I'll have to run a local mysql server also.

      For now,  my postfix instance supports these lookup tables.

      $ postconf -c /etc/postfix -m
      btree
      cidr
      environ
      hash
      internal
      nis
      pcre
      pgsql
      proxy
      regexp
      static
      tcp
      texthash
      unix

      None of them is a database that's light like Redis and supports master-slave configuration. Can you suggest what are my options?

      --
      Regards,
      Abhijeet Rastogi (shadyabhi)
      http://blog.abhijeetr.com
    • Tom Hendrikx
      ... How about running a local DNSBL using rbldnsd or some scriptable dns server, making fail2ban add ip addresses there. You could run several zones that
      Message 2 of 4 , Jun 25, 2013
      • 0 Attachment
        On 06/26/2013 08:11 AM, Abhijeet Rastogi wrote:
        > Hi all,
        >
        > Straight to the point, I ban IPs using fail2ban based on 4 jails. The
        > reasons vary from bruteforce sasl login attacks from specific IPs to
        > number of attempts to send suspect/confirmed spam mails. Right now,
        > there is a iptables rule that starts dropping packets for a IP. This is
        > highly undesirable as if sometimes this IP is a NAT server's IP for a
        > org, there are cases where SMTP packets from all clients of that org get
        > dropped and they have no clue what so ever.
        >
        > For now, I want to start rejecting connects with a REJECT message that
        > can be different for different IPs. One way I could do is using "access"
        > file and adding IPs to it. Unfortunately, it will work for a single
        > server but not for a cluster of outbound servers.
        >
        > Questions:
        > 1. If I use "access" file to block IPs, it's a challenge to keep all
        > servers data in sync. Also, it'll require me to run postmap each and
        > every time file changes, does that effect postfic performance in any way?
        > 2. I thought the option of writing milter using python where I could
        > keep one Redis instance as master & rest outbound servers will have a
        > slave Redis server. Each time a connect happens, I'll check the IP
        > against my local Redis instance and act accordingly. I think it's a
        > overkill. What do you guys think?
        > 3. I could also write a policy server. Is there already a policy server
        > that's as simple as blocking IPs based on a ACL. But then, I'll have to
        > run a local mysql server also.
        >

        How about running a local DNSBL using rbldnsd or some scriptable dns
        server, making fail2ban add ip addresses there. You could run several
        zones that return different reject messages to the connecting IP.

        Regards,
        Tom
      • Jan P. Kessler
        ... postfwd has an option to use a table, which will be re-read on every request. Look for lfile or ltable at http://www.postfwd.org/doc.html#files
        Message 3 of 4 , Jun 26, 2013
        • 0 Attachment
          > 3. I could also write a policy server. Is there already a policy
          > server that's as simple as blocking IPs based on a ACL. But then, I'll
          > have to run a local mysql server also.

          postfwd has an option to use a table, which will be re-read on every
          request. Look for "lfile" or "ltable" at
          http://www.postfwd.org/doc.html#files

          id=IPBLOCK
          client_address=lfile:/some/file
          action=REJECT Your ip address has been blocked
        • Abhijeet Rastogi
          Hi Jan, Thanks for the reply. I don t want to use file as it ll be hard for me to sync the same file across multiple servers. (Well, I could use nfs etc but I
          Message 4 of 4 , Jun 26, 2013
          • 0 Attachment
            Hi Jan,

            Thanks for the reply. I don't want to use file as it'll be hard for me to sync the same file across multiple servers. (Well, I could use nfs etc but I don't want to).

            As Tom suggested, it seems like the good way of doing it. Thanks for that.

            On Wed, Jun 26, 2013 at 4:34 PM, Jan P. Kessler <postfix@...> wrote:

            3. I could also write a policy server. Is there already a policy server that's as simple as blocking IPs based on a ACL. But then, I'll have to run a local mysql server also.

            postfwd has an option to use a table, which will be re-read on every request. Look for "lfile" or "ltable" at http://www.postfwd.org/doc.html#files

            id=IPBLOCK
                client_address=lfile:/some/file
                action=REJECT Your ip address has been blocked




            --
            Regards,
            Abhijeet Rastogi (shadyabhi)
            http://blog.abhijeetr.com
          Your message has been successfully submitted and would be delivered to recipients shortly.