From: Terry Carmen (terrycnysupport.com)
Date: Tue Mar 03 2009 - 12:58:52 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Cameron Camp wrote:
> I've been happily using denyhosts for ssh brute force attacks,
>
> 1. What are best practices for the same functionality for Postfix
> 2. Are there "gotcha's" for trying to use denyhosts/fail2ban for this
> 3. Should I use something else?
>
> I'd like to stop attacks at the iptable/tcpwrapper level before it eats
> up postfix resources. Sorry if that has already been asked.
>
> Best,
> Cam
>
It works great! I've been using it for a while to catch dictionary
attacks and relay attempts.

I have this in /etc/fail2ban/filter.d:

failregex = reject: RCPT from (.*)\[<HOST>\]: 5

----------------------------------------------

and this in /etc/fail2ban/jail.conf:
[postfix]
enabled = true
filter = postfix
action = iptables-allports[name=postfix]
           sendmail-whois[name=postfix, dest=rootcnysupport.com,
sender=smtpcnysupport.com]
logpath = /var/log/maillog
maxretry = 6

Depending on how fast your email addresses change, 6 might be too low,
so you'll probably need to adjust it.

----------------------------------------------

which catches log entries like this:

Mar 2 19:24:40 wormhole postfix/smtpd[23869]: NOQUEUE: reject: RCPT
from unknown[122.110.167.253]: 554 5.7.1 <mkfyheadwa
ters.com>: Relay access denied; from=<cwallacechoirschool.org>
to=<mkfyheadwaters.com> proto=SMTP helo=<122.110.167.253.
optusnet.com.au>

Terry

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]