Ban IP's from saslauthd/postfix?
edbegens at gmail.com
Sun May 24 16:07:03 UTC 2015
IPtables can be quite intimidating, but there are quite a few resources
on the web and from ubuntu on it. A quick fix, *if you need it right
now*, would be as follows:
But note, there is much, much more to know about IPtables, please read
all you can before you start to utilize it.
The example will show how to block a range of addresses below. It will
not be persistent upon a server reboot.
For an IP address, using an example, 126.96.36.199
To block 116.10.191.* addresses:
|$ sudo iptables -A INPUT -s 188.8.131.52/24 -j DROP|
To block 116.10././ addresses:
|$ sudo iptables -A INPUT -s 184.108.40.206/16 -j DROP|
To block 116././.* addresses:
|$ sudo iptables -A INPUT -s 220.127.116.11/8 -j DROP
On 05/24/2015 11:48 AM, Petter Adsen wrote:
> On Sun, 24 May 2015 09:32:04 -0400
> Ed Begens <edbegens at gmail.com> wrote:
>> You might want to consider using IPTables to slam the door on the
>> offending Botnet (and their associated IP addresses). But, there
>> might be better options out there depending on your server usage (in
>> what environment it's being utilized for).
> That's exactly what I want to do, but given that it is a botnet, the
> connections come in from a ton of different addresses. I need something
> that will see a failed attempt to authenticate, and block the address
> for a long period of time. fail2ban can do this, but it doesn't have
> the right mechanisms already in place for saslauthd, so I'll need to
> write them.
> There are an extremely limited number of people who have genuine
> reasons to authenticate to the server, and I can talk to all of them,
> so it would be ideal to set up a single failed attempt to block the
> source IP for a week or two :) Or longer. A**holes using a botnet to
> send spam are the lowest of the low. They need to be dealt with in the
> harshest way possible.
>> On 05/24/2015 04:13 AM, Petter Adsen wrote:
>>> On Sat, 23 May 2015 22:25:53 -0400
>>> Ben Coleman <oloryn at benshome.net> wrote:
>>>> On 05/22/2015 04:35 AM, Petter Adsen wrote:
>>>>> My mailserver is currently being targeted by what seems like a
>>>>> botnet, probably looking to send spam. Is there something like
>>>>> fail2ban I can use that will lock an IP out after a few failed
>>>>> attempts to authenticate?
>>>> I haven't used it with email authentication, but actually, fail2ban
>>>> might do. It has filters for more than looking for ssh
>>>> authentication failures. E.g. look at the postfix-sasl,
>>>> sendmail-auth, dovecot or such filters.
>>> Yes, I noticed after sending the mail - it was silly of me not to
>>> check first. I still haven't got it working, though, as it seems I
>>> would need to write a custom action, and I'm *really* bad at regular
>>> If I do get it working, I will post it here (and send it to either
>>> the authors or the Ubuntu maintainer) so others can use it also.
More information about the ubuntu-users