Ban IP's from saslauthd/postfix?
petter at synth.no
Sun May 24 16:22:04 UTC 2015
On Sun, 24 May 2015 12:07:03 -0400
Ed Begens <edbegens at gmail.com> wrote:
> Hi Petter,
> IPtables can be quite intimidating, but there are quite a few
> resources on the web and from ubuntu on it. A quick fix, *if you
> need it right now*, would be as follows:
> But note, there is much, much more to know about IPtables, please
> read all you can before you start to utilize it.
> The example will show how to block a range of addresses below. It
> will not be persistent upon a server reboot.
I am not intimidated by iptables, I use it all the time :)
The problem is, as I have said, that it is a botnet. That means that
the connections are coming in from widely separated machines, on widely
different subnets. I can't block every single address manually, as
there are dozens, probably hundreds. Neither can I block a
specific /24, /16 or even an /8 - they don't come from the same ones
(but a large part of them come from what is probably poorly secured
Amazon AWS servers, so I've blocked all their subnets).
And yes, I know they're all the same botnet: they try to authenticate
with what appears to be an alphabetic list of usernames.
I need something that will block _every single client that fails to
authenticate on the first attempt_.
Right now I'm considering taking the mailserver offline for a few days
and hope they just go away, unless I can get fail2ban to handle this.
But thank you for your suggestion :)
> For an IP address, using an example, 220.127.116.11
> To block 116.10.191.* addresses:
> |$ sudo iptables -A INPUT -s 18.104.22.168/24 -j DROP|
> To block 116.10././ addresses:
> |$ sudo iptables -A INPUT -s 22.214.171.124/16 -j DROP|
> To block 116././.* addresses:
> |$ sudo iptables -A INPUT -s 126.96.36.199/8 -j DROP
> On 05/24/2015 11:48 AM, Petter Adsen wrote:
> > On Sun, 24 May 2015 09:32:04 -0400
> > Ed Begens <edbegens at gmail.com> wrote:
> >> Petter,
> >> You might want to consider using IPTables to slam the door on the
> >> offending Botnet (and their associated IP addresses). But, there
> >> might be better options out there depending on your server usage
> >> (in what environment it's being utilized for).
> > That's exactly what I want to do, but given that it is a botnet, the
> > connections come in from a ton of different addresses. I need
> > something that will see a failed attempt to authenticate, and block
> > the address for a long period of time. fail2ban can do this, but it
> > doesn't have the right mechanisms already in place for saslauthd,
> > so I'll need to write them.
> > There are an extremely limited number of people who have genuine
> > reasons to authenticate to the server, and I can talk to all of
> > them, so it would be ideal to set up a single failed attempt to
> > block the source IP for a week or two :) Or longer. A**holes using
> > a botnet to send spam are the lowest of the low. They need to be
> > dealt with in the harshest way possible.
> > Petter
> >> On 05/24/2015 04:13 AM, Petter Adsen wrote:
> >>> On Sat, 23 May 2015 22:25:53 -0400
> >>> Ben Coleman <oloryn at benshome.net> wrote:
> >>>> On 05/22/2015 04:35 AM, Petter Adsen wrote:
> >>>>> My mailserver is currently being targeted by what seems like a
> >>>>> botnet, probably looking to send spam. Is there something like
> >>>>> fail2ban I can use that will lock an IP out after a few failed
> >>>>> attempts to authenticate?
> >>>> I haven't used it with email authentication, but actually,
> >>>> fail2ban might do. It has filters for more than looking for ssh
> >>>> authentication failures. E.g. look at the postfix-sasl,
> >>>> sendmail-auth, dovecot or such filters.
> >>> Yes, I noticed after sending the mail - it was silly of me not to
> >>> check first. I still haven't got it working, though, as it seems I
> >>> would need to write a custom action, and I'm *really* bad at
> >>> regular expressions.
> >>> If I do get it working, I will post it here (and send it to either
> >>> the authors or the Ubuntu maintainer) so others can use it also.
> >>> Petter
"Are you sure?"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 213 bytes
Desc: OpenPGP digital signature
More information about the ubuntu-users