Am 28.08.2015 um 20:28 schrieb Forrest: > On 8/28/15 2:09 PM, Robert Schetterer wrote: >> Am 28.08.2015 um 20:03 schrieb Forrest: >>> I've become used to the script kiddies sending out large connection >>> requests (I do have a threshold set). They are able to get around it by >>> other connections. For example, I had 857 connects of this: >>> >>> Aug 28 11:57:35 mail postfix/smtpd[20544]: connect from >>> unknown[5.232.194.77] >>> Aug 28 11:57:35 mail postfix/smtpd[20544]: warning: Connection rate >>> limit exceeded: 56 from unknown[5.232.194.77] for service smtp >>> Aug 28 11:57:35 mail postfix/smtpd[20544]: disconnect from >>> unknown[5.232.194.77] ehlo=1 auth=0/1 unknown=0/2 commands=1/4 >>> >>> While it may be time for an external tool like fail2ban, I'm wondering >>> if there are other measures I can take, that may break things (but I'm >>> the only one that uses this system), such as changing port numbers of >>> certain services. >>> >>> I do block the IP spaces when I see this, which is a no-brainer. But I >>> wonder how others are mitigating this activity. Pointers, advice >>> welcomed (and thanks in advance). >>> >>> >>> _F >>> >>> >> if youre the only user, postscreen and fail2ban should be fine >> >> >> Best Regards >> MfG Robert Schetterer >> > > There is potential this server will be used more widely, though. > > The default connection rate limiting seems to work; however, the above > mentioned log had a client connecting over 800 times, and I think that > should never happen. I read through postscreen's README page online and > I'm not clear about how postscreen can mitigate this. Do you have some > pointers to pages that show examples of this? > > Thanks. >
in very short words the only way to limit cons is rejecting/dropping with a firewall, postscreen is able to do early rejects but however meanwhile it has smtp "slots" open so combine fail2ban etc and postscreen maybe a good idea in the past i tested other solutions, but be warned these must fit to your setup and needs https://sys4.de/de/blog/2014/03/27/fighting-smtp-auth-brute-force-attacks/ https://sys4.de/de/blog/2012/12/28/botnets-mit-rsyslog-und-iptables-recent-modul-abwehren/ http://blog.arschkrebs.de/blog/new-fail2ban-rules-for-postscreen/ http://blog.schaal-24.de/firewall/postfix-postscreen-ip-in-die-firewall-eintragen/?lang=en http://www.kinader.eu/postfix-in-fail2ban-sinnvoll-einbinden-395/ Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
