Quantcast

Any warnings/suggestions for fail2ban?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Any warnings/suggestions for fail2ban?

Doug Barton
My next step for my mail system revamp is to add fail2ban. I've read up on how to configure it for Postfix and I think I'm up to speed. I have a few things which I have ideas about configuring for, so if anyone has experiences with these, or warnings against using them, I would appreciate the feedback.


1. I get hit with small floods of "Sender address rejected: Domain not found" from the same sender.

2. People attempting to actually auth against smtpd with a username and password
3. Spam floods, mostly from Chinese addresses, with the "lost connection after AUTH from unknown" dance.


Doug
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Any warnings/suggestions for fail2ban?

chaouche yacine
Hi Doug,

Here's how I configured my fail2ban


> 1. I get hit with small floods of "Sender address rejected: Domain not found" from the same sender.


You can add this in filter.d/postfix.conf if you don't already have it (should be there on recent debian systems)


failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$
^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$
^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[<HOST>\]: 550 5\.1\.1 .*$
^%(__prefix_line)simproper command pipelining after \S+ from [^[]*\[<HOST>\]:?$

It will ban any IP that is attempting to send an e-mail to a mailbox that doesn't exist, and this includes non existant mailboxes in your own domain (typical mailboxes are info, sales, webmaster etc.)






> 2. People attempting to actually auth against smtpd with a username and password

Change this in jail.local


[sasl]
enabled  = true
port     = smtp
filter   = sasl
action   = shorewall
logpath  = /var/log/mail.warn
maxretry = 3
findtime = 600





Other configuration :


I replaced syslog with mail.log, which is more specific, for both postfix and dovecot.



[postfix]

enabled  = true
port     = smtp
filter   = postfix
logpath  = /var/log/mail.log

[dovecot]

enabled = true
port    = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
filter  = dovecot
logpath = /var/log/mail.log





> 3. Spam floods, mostly from Chinese addresses, with the "lost connection after AUTH from unknown" dance.


I don't know about this one, I also don't consider "lost connection after AUTH from unknown" to be a sign of an attack. I have a fair amount of these lines coming from my own machines too. There might be something wrong somewhere -and I should investigate and fix it when I have time-, but not necessarily an attack.



  -- Yassine.


On Sunday, March 19, 2017 7:03 PM, Doug <[hidden email]> wrote:



My next step for my mail system revamp is to add fail2ban. I've read up on how to configure it for Postfix and I think I'm up to speed. I have a few things which I have ideas about configuring for, so if anyone has experiences with these, or warnings against using them, I would appreciate the feedback.









Doug
Loading...