rate limiting bad-bot HANGUPs in postscreen?

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

rate limiting bad-bot HANGUPs in postscreen?

jasonsu
With postscreen in place, bad bots arr getting fended off.

Many give up and go away after a couple of tries.

Some, these days mostly 'ymlf-pc' bots, are more persistent.

Eg, this one

        Apr  8 04:17:20 mail01 postfix/postscreen[20412]: CONNECT from [37.49.226.17]:52066 to [192.0.2.17]:25
        Apr  8 04:17:20 mail01 postfix/dnsblog[20417]: addr 37.49.226.17 listed by domain zen.spamhaus.org as 127.0.0.4
        Apr  8 04:17:21 mail01 postfix/postscreen[20412]: PREGREET 14 after 0.14 from [37.49.226.17]:52066: EHLO ylmf-pc\r\n
        Apr  8 04:17:21 mail01 postfix/postscreen[20412]: DNSBL rank 6 for [37.49.226.17]:52066
        Apr  8 04:17:21 mail01 postfix/postscreen[20412]: HANGUP after 0.85 from [37.49.226.17]:52066 in tests after SMTP handshake
        Apr  8 04:17:21 mail01 postfix/postscreen[20412]: DISCONNECT [37.49.226.17]:52066
        Apr  8 04:17:22 mail01 postfix/postscreen[20412]: CONNECT from [37.49.226.17]:54974 to [192.0.2.17]:25
        Apr  8 04:17:22 mail01 postfix/dnsblog[20415]: addr 37.49.226.17 listed by domain zen.spamhaus.org as 127.0.0.4
        Apr  8 04:17:22 mail01 postfix/postscreen[20412]: PREGREET 14 after 0.15 from [37.49.226.17]:54974: EHLO ylmf-pc\r\n
        Apr  8 04:17:22 mail01 postfix/postscreen[20412]: DNSBL rank 6 for [37.49.226.17]:54974
        Apr  8 04:17:23 mail01 postfix/postscreen[20412]: HANGUP after 0.77 from [37.49.226.17]:54974 in tests after SMTP handshake
        Apr  8 04:17:23 mail01 postfix/postscreen[20412]: DISCONNECT [37.49.226.17]:54974
        Apr  8 04:17:25 mail01 postfix/postscreen[20412]: CONNECT from [37.49.226.17]:58871 to [192.0.2.17]:25
        ...

conitinues on for a total of (in this case) 237 attempts in one continuous string over a few minutes.

These do not appear as multiple CONCURRENT connection, which I think I can limit with ' postscreen_client_connection_count_limit'.

Instead, they look like SEQUENTIAL connections.

IIUC, this is a pretty efficient disconnection by postscreen, so not a huge load on the server.

But, it's still making connections.

I can rate limit these in fail2ban+firewall (e.g., http://shorewall.net/ConnectionRate.html), but would prefer to keep this re-action in Postfix.

Is there a postscreen_ parameter to rate limit these "bursts"? Maybe dropping the connection sooner?

Jason

Reply | Threaded
Open this post in threaded view
|

Re: rate limiting bad-bot HANGUPs in postscreen?

allenc
I use a script which greps for repeated  HANGUPS (and non-SNMP commands,
etc) and adds them to a postscreen access file (a separate blacklist
file chat can be re-compiled as and when).   The black-list entry is
retracted after a day or so.

A second script looks for repeated black-list refusals and adds the
offender to the firewall drop-list.  This entry is removed after a day,
AND when the iptable counters have stopped incrementing.

It is overkill in my case, but it keeps my hand in at writing scripts   :-)

Allen C

On 09/04/16 15:44, [hidden email] wrote:

> With postscreen in place, bad bots arr getting fended off.
>
> Many give up and go away after a couple of tries.
>
> Some, these days mostly 'ymlf-pc' bots, are more persistent.
>
> Eg, this one
>
> Apr  8 04:17:20 mail01 postfix/postscreen[20412]: CONNECT from [37.49.226.17]:52066 to [192.0.2.17]:25
> Apr  8 04:17:20 mail01 postfix/dnsblog[20417]: addr 37.49.226.17 listed by domain zen.spamhaus.org as 127.0.0.4
> Apr  8 04:17:21 mail01 postfix/postscreen[20412]: PREGREET 14 after 0.14 from [37.49.226.17]:52066: EHLO ylmf-pc\r\n
> Apr  8 04:17:21 mail01 postfix/postscreen[20412]: DNSBL rank 6 for [37.49.226.17]:52066
> Apr  8 04:17:21 mail01 postfix/postscreen[20412]: HANGUP after 0.85 from [37.49.226.17]:52066 in tests after SMTP handshake
> Apr  8 04:17:21 mail01 postfix/postscreen[20412]: DISCONNECT [37.49.226.17]:52066
> Apr  8 04:17:22 mail01 postfix/postscreen[20412]: CONNECT from [37.49.226.17]:54974 to [192.0.2.17]:25
> Apr  8 04:17:22 mail01 postfix/dnsblog[20415]: addr 37.49.226.17 listed by domain zen.spamhaus.org as 127.0.0.4
> Apr  8 04:17:22 mail01 postfix/postscreen[20412]: PREGREET 14 after 0.15 from [37.49.226.17]:54974: EHLO ylmf-pc\r\n
> Apr  8 04:17:22 mail01 postfix/postscreen[20412]: DNSBL rank 6 for [37.49.226.17]:54974
> Apr  8 04:17:23 mail01 postfix/postscreen[20412]: HANGUP after 0.77 from [37.49.226.17]:54974 in tests after SMTP handshake
> Apr  8 04:17:23 mail01 postfix/postscreen[20412]: DISCONNECT [37.49.226.17]:54974
> Apr  8 04:17:25 mail01 postfix/postscreen[20412]: CONNECT from [37.49.226.17]:58871 to [192.0.2.17]:25
> ...
>
> conitinues on for a total of (in this case) 237 attempts in one continuous string over a few minutes.
>
> These do not appear as multiple CONCURRENT connection, which I think I can limit with ' postscreen_client_connection_count_limit'.
>
> Instead, they look like SEQUENTIAL connections.
>
> IIUC, this is a pretty efficient disconnection by postscreen, so not a huge load on the server.
>
> But, it's still making connections.
>
> I can rate limit these in fail2ban+firewall (e.g., http://shorewall.net/ConnectionRate.html), but would prefer to keep this re-action in Postfix.
>
> Is there a postscreen_ parameter to rate limit these "bursts"? Maybe dropping the connection sooner?
>
> Jason
>
>


Reply | Threaded
Open this post in threaded view
|

Re: rate limiting bad-bot HANGUPs in postscreen?

Wietse Venema
In reply to this post by jasonsu
[hidden email]:
> conitinues on for a total of (in this case) 237 attempts in one
> continuous string over a few minutes.

All connections are blocked after 0.1 second, as the client fails
both the DNSBL and the pregreet tests. At one connection per second,
this uses very few resources, so I would not worry about this. It's
certainly not worth complicating postscreen.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: rate limiting bad-bot HANGUPs in postscreen?

Curtis Villamizar
In reply to this post by jasonsu
In message <[hidden email]>
[hidden email] writes:
 

> With postscreen in place, bad bots arr getting fended off.
>  
> Many give up and go away after a couple of tries.
>  
> Some, these days mostly 'ymlf-pc' bots, are more persistent.
>  
> Eg, this one
>  
> Apr  8 04:17:20 mail01 postfix/postscreen[20412]: CONNECT from [37.49.226.17]:52066 to [192.0.2.17]:25
> Apr  8 04:17:20 mail01 postfix/dnsblog[20417]: addr 37.49.226.17 listed by domain zen.spamhaus.org as 127.0.0.4
> Apr  8 04:17:21 mail01 postfix/postscreen[20412]: PREGREET 14 after 0.14 from [37.49.226.17]:52066: EHLO ylmf-pc\r\n
> Apr  8 04:17:21 mail01 postfix/postscreen[20412]: DNSBL rank 6 for [37.49.226.17]:52066
> Apr  8 04:17:21 mail01 postfix/postscreen[20412]: HANGUP after 0.85 from [37.49.226.17]:52066 in tests after SMTP handshake
> Apr  8 04:17:21 mail01 postfix/postscreen[20412]: DISCONNECT [37.49.226.17]:52066
> Apr  8 04:17:22 mail01 postfix/postscreen[20412]: CONNECT from [37.49.226.17]:54974 to [192.0.2.17]:25
> Apr  8 04:17:22 mail01 postfix/dnsblog[20415]: addr 37.49.226.17 listed by domain zen.spamhaus.org as 127.0.0.4
> Apr  8 04:17:22 mail01 postfix/postscreen[20412]: PREGREET 14 after 0.15 from [37.49.226.17]:54974: EHLO ylmf-pc\r\n
> Apr  8 04:17:22 mail01 postfix/postscreen[20412]: DNSBL rank 6 for [37.49.226.17]:54974
> Apr  8 04:17:23 mail01 postfix/postscreen[20412]: HANGUP after 0.77 from [37.49.226.17]:54974 in tests after SMTP handshake
> Apr  8 04:17:23 mail01 postfix/postscreen[20412]: DISCONNECT [37.49.226.17]:54974
> Apr  8 04:17:25 mail01 postfix/postscreen[20412]: CONNECT from [37.49.226.17]:58871 to [192.0.2.17]:25
> ...
>  
> conitinues on for a total of (in this case) 237 attempts in one continuous string over a few minutes.
>  
> These do not appear as multiple CONCURRENT connection, which I think I can limit with ' postscreen_client_connection_count_limit'.
>  
> Instead, they look like SEQUENTIAL connections.
>  
> IIUC, this is a pretty efficient disconnection by postscreen, so not a huge load on the server.
>  
> But, it's still making connections.
>  
> I can rate limit these in fail2ban+firewall (e.g., http://shorewall.net/ConnectionRate.html), but would prefer to keep this re-action in Postfix.
>  
> Is there a postscreen_ parameter to rate limit these "bursts"? Maybe dropping the connection sooner?
>  
> Jason


Jason,

An excerpt below from a shell script to generate a access file for
postscreen.  I haven't automated running it but will probably zcat a
day or two of prior maillog files plus the current day (for example,
using "zcat /var/log/maillog.0.bz2 | cat - /var/log/maillog | ...").
It gets rid of lots of PREGREET or HANGUP in under 1 sec.  The
threshhold of 5 is quite low but I don't think it will catch any legit
mail servers.  Still playing with this.

Note that the big space before reject is three tabs.

Curtis


echo "#  HANGUP after <1 more than 5 times in one day"
grep postfix/postscreen /var/log/maillog \
    | grep 'HANGUP after 0\.' \
    | sed -e 's,^.*HANGUP after [0-9\.]* from ,,' \
          -e 's,:[0-9]* in tests after SMTP handshake$,,' \
    | sort | uniq -c | sort -n \
    | egrep '^ *[6-9] |^ *[1-9][0-9][0-9]* ' \
    | sed -e 's,^ *[0-9]* *\[,,' -e 's,\]$, reject,'

echo "#  PREGREET after <1 more than 5 times"
grep postfix/postscreen /var/log/maillog \
    | grep 'PREGREET [0-9]* after 0\.[0-9]* ' \
    | sed -e 's,^.*PREGREET [0-9]* after 0\.[0-9]* from ,,' \
          -e 's,:[0-9]*: [HE]*LO .*,,' \
    | sort | uniq -c | sort -n \
    | egrep '^ *[6-9] |^ *[1-9][0-9][0-9]* ' \
    | sed -e 's,^ *[0-9]* *\[,,' -e 's,\]$, reject,'
                             
Reply | Threaded
Open this post in threaded view
|

Re: rate limiting bad-bot HANGUPs in postscreen?

Vincent Lefevre-10
In reply to this post by Wietse Venema
On 2016-04-09 18:51:00 -0400, Wietse Venema wrote:
> [hidden email]:
> > conitinues on for a total of (in this case) 237 attempts in one
> > continuous string over a few minutes.
>
> All connections are blocked after 0.1 second, as the client fails
> both the DNSBL and the pregreet tests. At one connection per second,
> this uses very few resources, so I would not worry about this. It's
> certainly not worth complicating postscreen.

Well, I'm not sure what you meant by "very few resources", but I've
noticed that since yesterday, the disk usage of my root partition
increased by 100 MB (instead of something of the order of 1 MB for
the same period), and this came from the /var/log/mail.log file.
For a small personal server, this is a lot of resources. Thanks to
Curtis Villamizar's command (posted in this thread), I could see:

[...]
    130 [75.147.78.177]
    366 [213.193.32.35]
    492 [193.189.117.148]
 100543 [108.245.138.130]

So, this was due to a single IP address, which did more than 100,000
connections within 15 hours!

I'm wondering what to do in case of future attacks like this.
I think that a fail2ban filter would be the best solution, but
there doesn't exist any filter for postscreen. I could probably
write one if no-one else has done this, but I'm not sure what
to test exactly. HANGUPs for less than 1 second like in Curtis's
command? Any better idea?

--
Vincent Lefèvre <[hidden email]> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
Reply | Threaded
Open this post in threaded view
|

Re: rate limiting bad-bot HANGUPs in postscreen?

Wietse Venema
Vincent Lefevre:
> [...]
>     130 [75.147.78.177]
>     366 [213.193.32.35]
>     492 [193.189.117.148]
>  100543 [108.245.138.130]
>
> So, this was due to a single IP address, which did more than 100,000
> connections within 15 hours!

fail2ban

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: rate limiting bad-bot HANGUPs in postscreen?

jasonsu
> I'm wondering what to do in case of future attacks like this.

I'm using a fail2ban+ipsets to catch these quickly & ban them efficiently.  Works well.  Simply use a regex like in those grep commands to match.

Make sure you test your matches -- using a combo or online regex tester & fail2ban-regex works for me.

On smaller boxes I manage runaway logs, getting over-filled by anything I missed, with a logrotate policy that compressed at size limits.  If it's still a problem, move the logs to a remote as they rotated, and/or use remote real-time logging.

Jason