Ban IP's from saslauthd/postfix?

Petter Adsen petter at synth.no
Sun May 24 16:22:04 UTC 2015 

On Sun, 24 May 2015 12:07:03 -0400
Ed Begens <edbegens at gmail.com> wrote:

> Hi Petter,
> 
> IPtables can be quite intimidating, but there are quite a few
> resources on the web and from ubuntu on it.  A quick fix, *if you
> need it right now*, would be as follows:
> 
> But note, there is much, much more to know about IPtables, please
> read all you can before you start to utilize it.
> 
> The example will show how to block a range of addresses below.  It
> will not be persistent upon a server reboot.

I am not intimidated by iptables, I use it all the time :)

The problem is, as I have said, that it is a botnet. That means that
the connections are coming in from widely separated machines, on widely
different subnets. I can't block every single address manually, as
there are dozens, probably hundreds. Neither can I block a
specific /24, /16 or even an /8 - they don't come from the same ones
(but a large part of them come from what is probably poorly secured
Amazon AWS servers, so I've blocked all their subnets).

And yes, I know they're all the same botnet: they try to authenticate
with what appears to be an alphabetic list of usernames.

I need something that will block _every single client that fails to
authenticate on the first attempt_.

Right now I'm considering taking the mailserver offline for a few days
and hope they just go away, unless I can get fail2ban to handle this.

But thank you for your suggestion :)

Petter

> For an IP address, using an example, 116.10.191.0
> 
> To block 116.10.191.* addresses:
> 
> |$ sudo iptables -A INPUT -s 116.10.191.0/24 -j DROP|
> 
> To block 116.10././ addresses:
> 
> |$ sudo iptables -A INPUT -s 116.10.0.0/16 -j DROP|
> 
> To block 116././.* addresses:
> 
> |$ sudo iptables -A INPUT -s 116.0.0.0/8 -j DROP
> |
> 
> |
> |
> 
> 
> 
> On 05/24/2015 11:48 AM, Petter Adsen wrote:
> > On Sun, 24 May 2015 09:32:04 -0400
> > Ed Begens <edbegens at gmail.com> wrote:
> >
> >> Petter,
> >>
> >> You might want to consider using IPTables to slam the door on the
> >> offending Botnet (and their associated IP addresses).  But, there
> >> might be better options out there depending on your server usage
> >> (in what environment it's being utilized for).
> > That's exactly what I want to do, but given that it is a botnet, the
> > connections come in from a ton of different addresses. I need
> > something that will see a failed attempt to authenticate, and block
> > the address for a long period of time. fail2ban can do this, but it
> > doesn't have the right mechanisms already in place for saslauthd,
> > so I'll need to write them.
> >
> > There are an extremely limited number of people who have genuine
> > reasons to authenticate to the server, and I can talk to all of
> > them, so it would be ideal to set up a single failed attempt to
> > block the source IP for a week or two :) Or longer. A**holes using
> > a botnet to send spam are the lowest of the low. They need to be
> > dealt with in the harshest way possible.
> >
> > Petter
> >
> >> On 05/24/2015 04:13 AM, Petter Adsen wrote:
> >>> On Sat, 23 May 2015 22:25:53 -0400
> >>> Ben Coleman <oloryn at benshome.net> wrote:
> >>>
> >>>> On 05/22/2015 04:35 AM, Petter Adsen wrote:
> >>>>> My mailserver is currently being targeted by what seems like a
> >>>>> botnet, probably looking to send spam. Is there something like
> >>>>> fail2ban I can use that will lock an IP out after a few failed
> >>>>> attempts to authenticate?
> >>>> I haven't used it with email authentication, but actually,
> >>>> fail2ban might do.  It has filters for more than looking for ssh
> >>>> authentication failures.  E.g. look at the postfix-sasl,
> >>>> sendmail-auth, dovecot or such filters.
> >>> Yes, I noticed after sending the mail - it was silly of me not to
> >>> check first. I still haven't got it working, though, as it seems I
> >>> would need to write a custom action, and I'm *really* bad at
> >>> regular expressions.
> >>>
> >>> If I do get it working, I will post it here (and send it to either
> >>> the authors or the Ubuntu maintainer) so others can use it also.
> >>>
> >>> Petter
> >>>
> >>>
> >>>
> >>
> >
> >
> >
> >
> 
> 



-- 
"I'm ionized"
"Are you sure?"
"I'm positive."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 213 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20150524/d7ca504b/attachment.sig>

More information about the ubuntu-users mailing list