Am 21.02.2016 um 11:48 schrieb Allen Coates: > Do smtpd_hard_error_limit > <http://www.postfix.org/postconf.5.html#smtpd_hard_error_limit> and > smtpd_soft_error_limit > <http://www.postfix.org/postconf.5.html#smtpd_soft_error_limit> count > authentication failures as "errors"? > > I don't receive enough emails (or attacks) to have a definitive answer. > > Allen C
this help a little bit it may free resources more quickly but its not a good solution ( tested ) in hard cases fail2ban is a good option also disable sasl auth on port 25 ,only use it with submission you may also modify my iptables recent script to your needs https://sys4.de/de/blog/2014/03/27/fighting-smtp-auth-brute-force-attacks/ https://sys4.de/de/blog/2015/11/07/abwehr-des-botnets-pushdo-cutwail-ehlo-ylmf-pc-mit-iptables-string-recent-smtp/ > > > On 21/02/16 07:47, Kiss Gábor wrote: >> Dear folks, >> >> My logs are full of lines like this: >> >> Feb 21 04:12:05 MYOLDMTA postfix/smtpd[12967]: warning: >> unknown[195.22.126.159]: SASL LOGIN authentication failed: authentication >> failure >> >> This is a brute force attack in order to get a valid username/password pair. >> The cracker usually does 20 attempts within a single SMTP session. >> Thought fail2ban alerts the firewall after the third or fourth one but >> network filtering applies to new connections only. >> (I would not filter _all_ incoming packets until it is >> absolutely necessary.) >> >> So the attacker may try any number of password quite unobtrusively. >> >> Is there any way to instruct smtpd to close session after 3 unsuccesful >> attempts as is written in RFC 4954? I found no appropriate config parameter. >> >> https://tools.ietf.org/html/rfc4954#section-9 >> Servers MAY implement a policy whereby the connection is dropped >> after a number of failed authentication attempts. If they do so, >> they SHOULD NOT drop the connection until at least 3 attempts to >> authenticate have failed. >> >> The affected Postfix version is 2.11.3, our old MTA. >> The new one is not found yet by the bad guys. >> >> Regards >> >> Gabor > > Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
