Am 17.07.2017 um 20:06 schrieb /dev/rob0:
> On Mon, Jul 17, 2017 at 01:33:24PM -0400, Wietse Venema wrote:
>> I don't think there is much to gain from parsing postscreen logging
>> to produce fail2ban rules. postscreen is designed to handle a lot
>> of abuse with near-zero resources.
> 
> Granted, not much benefit within Postfix.  But consider: these 
> botnets are also attacking other services: http, ssh, DNS, and more.  
> I think it's a reasonable goal to want to block botnets in the 
> firewall.
> 
> [ Linux-specific ]
> 
> We do it with ssh attacks here using the "recent" iptables module.
> (On my TODO is a plan to port those rules to the --match set and 
> --jump SET modules and ipset(8).)  These attacks, when exceeding 
> established maximum new connection rates, cause the attacker to be 
> entirely blocked in the firewall.
> 
> That obviously won't work for SMTP, where [FSVO] legitmate sites 
> might have a bunch of new connections in short periods.  For ssh, 
> we're using the assumption that these connections are humans who are 
> seeking shell access, although indeed a poorly-written script could 
> easily go beyond the limits.
> 
> So the move to ipset would allow broader participation in attack 
> deflection; fail2ban could help populate the firewall blocking with 
> input from httpd, named, and others (including Postfix.)
> 
> Another advantage of firewall blocking is at the human level: 
> decrease of noise in the logs, to potentially save time for the 
> admin.  I haven't had many systems which were vulnerable to the 
> brute-force ssh attacks, but I don't need to see that spam in the 
> system logs.
> 
> To be clear, I don't have an answer for the OP; I am just tossing 
> out a couple of coins in support of the goal.
> 

you may have a look here for ideas

https://sys4.de/de/blog/2015/11/07/abwehr-des-botnets-pushdo-cutwail-ehlo-ylmf-pc-mit-iptables-string-recent-smtp/

https://sys4.de/de/blog/2014/03/27/fighting-smtp-auth-brute-force-attacks/

https://sys4.de/de/blog/2012/12/28/botnets-mit-rsyslog-und-iptables-recent-modul-abwehren/


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Reply via email to