On Tue 16/Dec/2014 19:22:05 +0100 Anders Le Chevalier wrote: > On 2014-12-16 07:20, Mark Constable wrote: > ... >> >> Bonus question, aside from fail2ban, has anyone got any rules for iptables >> to block/drop on an OS level any courier-related authdaemon logins and >> these port 25 access attempts?
Spamhaus DROP is certainly worth. (http://www.tana.it/sw/spamhaus-drop/ for a bash script using ipset and curl) > I used fail2ban some time ago. If you want to block failed > authentications you could do something like this: > > failregex = error,relay\=<HOST>,msg\=\"535 I have these regexes (not fail2ban format, but looks quite like it): /LOGIN FAILED, user=\S* ip=\[<HOST>]/ * "dictionary attack" /courieresmtpd: error,relay=<HOST>,msg="535 Authentication failed."/ * "SMTP auth dictionary attack" /courieresmtpd: error,relay=<HOST>,from=<[^>]*>,to=<[^>]*>: 513 Relaying denied/ * "Relaying denied" 15 /courieresmtpd: error,relay=<HOST>,from=<[^>]*>: 517-Domain does not exist/ * "Domain does not exist" 15 /courieresmtpd: error,relay=<HOST>,msg="502 ESMTP command error",cmd:/ * "ESMTP command error" 30 /Maximum connection limit reached for <HOST>/ * "connection limit" 4 - 86400 > I guess it might be possible to have some iptables rules that parse the > data stream to courier for the response - but is that really more > efficient than fail2ban? No and yes, IMHO. No, it's not possible, or at least not recommendable, to parse the data stream to learn how good the peer is, because the server can lie; for example, it may reply "250 Thank you for this nice message!" and then drop it. And yes, it is more efficient to centralize log parsing, especially if one has several processes doing that. One way would be to generate SNMP calls as described in RFC 5675 (which I never tried, though.) Ale -- ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk _______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
