[pfx] Re: Strengthen email system security

Wed, 22 May 2024 16:33:31 -0700 

Em 22/05/2024 19:33, Northwind via Postfix-users escreveu:

Hello list,

In the last two days, my mail system (small size) met attacks.

mail.log shows a lot of this stuff:
May 23 06:24:29 mx postfix/smtpd[2655149]: warning: unknown[194.169.175.17]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 May 23 06:24:37 mx postfix/smtps/smtpd[2655958]: warning: unknown[111.53.52.116]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 May 23 06:24:37 mx postfix/smtpd[2655819]: warning: unknown[194.169.175.20]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 May 23 06:24:40 mx postfix/smtpd[2655040]: warning: unknown[194.169.175.17]: SASL LOGIN authentication failed: Connection lost to authentication server May 23 06:24:50 mx postfix/smtps/smtpd[2656489]: warning: unknown[105.16.161.35]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 May 23 06:24:52 mx postfix/smtps/smtpd[2655958]: warning: unknown[59.0.60.158]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 May 23 06:24:54 mx postfix/smtps/smtpd[2656433]: warning: unknown[218.3.137.193]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 May 23 06:24:56 mx postfix/smtpd[2655730]: warning: unknown[194.169.175.20]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 May 23 06:24:58 mx postfix/smtpd[2654836]: warning: unknown[194.169.175.17]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 


And fail2ban has dropped 2000+ black IPs:

$ sudo iptables -L -n|grep DROP|wc -l
2614

The attack continues at this time.

My questions are:
1. what's the purpose of this kind of attack? Brute force password cracking, or DDoS? 

2. How to strengthen email system security to stop this?

Thanks in advance.

_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org



Hi.
I managed to drastically reduce this type of attack using the abuseIPDB[1] database (free account) + ipset + iptables. 

[1] https://www.abuseipdb.com/

I run a cronjob 4 times a day to add news ips to my ipset.
If you want, I can send you my scripts to automate this tasks. (It's out of the scope of this list) 

Regards.

----------------------------------
    _    EngÂș Julio Cesar Covolato
   0v0   <ju...@psi.com.br>
  /(_)\  F: 55-11-99175-9260
   ^ ^   PSI INTERNET
----------------------------------

_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to