Re: blacklistd not reacting to postfix/smtpd AUTH failures
On 8/10/20 7:22 AM, Christos Zoulas wrote: Can you try this? christos Index: smtpd.c === RCS file: /cvsroot/src/external/ibm-public/postfix/dist/src/smtpd/smtpd.c,v retrieving revision 1.17 diff -u -u -r1.17 smtpd.c --- smtpd.c 18 Mar 2020 19:05:20 - 1.17 +++ smtpd.c 10 Aug 2020 14:21:48 - @@ -5795,6 +5795,8 @@ || strcmp(state->reason, REASON_LOST_CONNECTION)) { msg_info("%s after %s from %s", state->reason, state->where, state->namaddr); + if (strcmp(state->where, SMTPD_CMD_AUTH) == 0) + pfilter_notify(1, vstream_fileno(state->client)); } } For what it's worth (a month later), this patch seems to catch more of the untoward behavior I'm wanting to block. within an hour of installing it, I have one address blocked and a couple on their way... +j
Re: blacklistd not reacting to postfix/smtpd AUTH failures
In article , Emile `iMil' Heitor wrote: > >Hi, > >On this machine: > >NetBSD senate.imil.net 9.0 NetBSD 9.0 (GENERIC) #0: Fri Feb 14 00:06:28 >UTC 2020 >mkre...@mkrepro.netbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC amd64 > >I have the following setup: > >$ cat /etc/blacklistd.conf >[local] >domain dgram * * * 3 24h >smtpstream * * * 3 24h >submission stream * * * 3 24h >imaps stream * * * 3 24h >ssh stream * * * 3 24h > >$ cat /etc/npf.conf > >$ext = vioif0 > >set bpf.jit on; >alg "icmp" > >table type ipset file "/etc/npf_blacklist" > >group "external" on $ext { > ruleset "blacklistd" > block in final from > pass final all >} > >group default { > pass final all >} > >This works, i.e. blocks bruteforce attempts on ports 53 and 22, but >authentication failures on port 25 are not catched and thus no blacklisting >takes place: > >$ sudo grep AUTH /var/log/maillog|tail -6 >Aug 7 14:17:08 senate postfix/smtpd[16590]: lost connection after AUTH >from unknown[78.128.113.116] >Aug 7 14:25:11 senate postfix/smtpd[3931]: lost connection after AUTH >from unknown[78.128.113.116] >Aug 7 14:25:16 senate postfix/smtpd[3931]: lost connection after AUTH >from unknown[78.128.113.116] >Aug 7 14:25:21 senate postfix/smtpd[7936]: lost connection after AUTH >from unknown[78.128.113.116] >Aug 7 14:25:25 senate postfix/smtpd[3931]: lost connection after AUTH >from unknown[78.128.113.116] >Aug 7 14:25:29 senate postfix/smtpd[7936]: lost connection after AUTH >from unknown[78.128.113.116] > >$ sudo grep blacklist /var/log/messages >Aug 7 12:38:04 senate blacklistd[1955]: released 1.192.90.183/32:53 >after 86400 seconds >Aug 7 13:53:47 senate blacklistd[1955]: released 3.237.190.49/32:53 >after 86400 seconds >Aug 7 14:05:09 senate blacklistd[1955]: blocked 3.235.107.224/32:53 for >86400 seconds > >$ sudo blacklistctl dump -ab > address/ma:port id nfail last access > 89.248.167.135/32:53 1/3 2020/08/07 02:23:22 > 195.144.21.56/32:53 1/3 2020/08/07 06:57:38 > 146.88.240.15/32:53 1/3 2020/08/06 16:39:09 > 3.235.107.224/32:53 3 3/3 2020/08/07 14:05:09 > 146.88.240.128/32:53 2/3 2020/08/06 21:51:36 >2001:bc8:234c:1/128:22 1/3 2020/08/06 16:21:34 > 71.6.232.7/32:53 1/3 2020/08/07 05:42:50 > 80.82.65.90/32:53 2/3 2020/08/06 18:25:48 > 74.82.47.2/32:53 1/3 2020/08/07 02:42:22 >146.88.240.4/32:53 1/3 2020/08/06 16:22:46 > 193.29.15.169/32:53 2/3 2020/08/06 18:54:24 > 185.232.65.36/32:53 1/3 2020/08/06 22:06:34 > 192.35.168.251/32:53 1/3 2020/08/07 01:58:55 > 185.50.66.1/32:53 1/3 2020/08/07 12:52:59 > >smtpd is indeed linked over libblacklist: > >$ ldd /usr/libexec/postfix/smtpd |grep black > -lblacklist.0 => /usr/lib/libblacklist.so.0 > >Anything I am missing here? Can you try this? christos Index: smtpd.c === RCS file: /cvsroot/src/external/ibm-public/postfix/dist/src/smtpd/smtpd.c,v retrieving revision 1.17 diff -u -u -r1.17 smtpd.c --- smtpd.c 18 Mar 2020 19:05:20 - 1.17 +++ smtpd.c 10 Aug 2020 14:21:48 - @@ -5795,6 +5795,8 @@ || strcmp(state->reason, REASON_LOST_CONNECTION)) { msg_info("%s after %s from %s", state->reason, state->where, state->namaddr); + if (strcmp(state->where, SMTPD_CMD_AUTH) == 0) + pfilter_notify(1, vstream_fileno(state->client)); } }
Re: blacklistd not reacting to postfix/smtpd AUTH failures
On Fri, 7 Aug 2020, Martin Neitzel wrote: You have to check the smtpd source to see if blacklist{,_r,_sa} could be called at the point where the issue is logged. Indeed the source code delivered. It suggests the notification should be triggered when the auth attempt reach the smtpd_hard_error_limit: if (state->error_count >= var_smtpd_hard_erlim) { state->reason = REASON_ERROR_LIMIT; state->error_mask |= MAIL_ERROR_PROTOCOL; smtpd_chat_reply(state, "421 4.7.0 %s Error: too many errors", var_myhostname); pfilter_notify(1, vstream_fileno(state->client)); break; } Which I had not set in the main.cf file. After setting it to 5, failed attempts would be sent to blacklistd: $ postconf smtpd_hard_error_limit smtpd_hard_error_limit = 5 $ sudo blacklistctl dump -ab|egrep '32:25' 186.159.2.57/32:25 1/3 2020/08/08 07:31:19 194.213.125.169/32:25 1/3 2020/08/08 07:17:08 185.4.44.60/32:25 1/3 2020/08/08 07:26:26 94.243.219.122/32:25 1/3 2020/08/08 07:21:28 202.40.186.26/32:25 1/3 2020/08/08 07:50:47 Maybe this should be documented... More on connections limit http://www.postfix.org/TUNING_README.html#conn_limit Emile `iMil' Heitor | https://imil.net !DSPAM:5f2e3ea253355886372770!
Re: blacklistd not reacting to postfix/smtpd AUTH failures
iMil> smtpd is indeed linked over libblacklist: iMil> iMil> $ ldd /usr/libexec/postfix/smtpd |grep black iMil> -lblacklist.0 => /usr/lib/libblacklist.so.0 iMil> Anything I am missing here? A daemon may well notify blacklistd about a possible attack at some places along the code path but not at others, even when an issue gets logged at the "other" place. In particular, the blacklist(3) API requires the connection to the client to be still active when registering an mis-behavior. This is a bit stupid, IMHO, because it prevents the blacklist registration of any clients which pull out early. I had noticed this with sshd: it just logged lots of "client closed connection [preauth]" probes without notifying blacklistd. A look into the sshd source showed that this was a case of "fd already closed" and not fixable. In fact, only allowing public key access kept many stupid clients knocking at the door. Allowing password-based access gets rid of them quickly because those attempts *do* trigger blacklistd. You have to check the smtpd source to see if blacklist{,_r,_sa} could be called at the point where the issue is logged. Martin Neitzel
blacklistd not reacting to postfix/smtpd AUTH failures
Hi, On this machine: NetBSD senate.imil.net 9.0 NetBSD 9.0 (GENERIC) #0: Fri Feb 14 00:06:28 UTC 2020 mkre...@mkrepro.netbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC amd64 I have the following setup: $ cat /etc/blacklistd.conf [local] domain dgram * * * 3 24h smtpstream * * * 3 24h submission stream * * * 3 24h imaps stream * * * 3 24h ssh stream * * * 3 24h $ cat /etc/npf.conf $ext = vioif0 set bpf.jit on; alg "icmp" table type ipset file "/etc/npf_blacklist" group "external" on $ext { ruleset "blacklistd" block in final from pass final all } group default { pass final all } This works, i.e. blocks bruteforce attempts on ports 53 and 22, but authentication failures on port 25 are not catched and thus no blacklisting takes place: $ sudo grep AUTH /var/log/maillog|tail -6 Aug 7 14:17:08 senate postfix/smtpd[16590]: lost connection after AUTH from unknown[78.128.113.116] Aug 7 14:25:11 senate postfix/smtpd[3931]: lost connection after AUTH from unknown[78.128.113.116] Aug 7 14:25:16 senate postfix/smtpd[3931]: lost connection after AUTH from unknown[78.128.113.116] Aug 7 14:25:21 senate postfix/smtpd[7936]: lost connection after AUTH from unknown[78.128.113.116] Aug 7 14:25:25 senate postfix/smtpd[3931]: lost connection after AUTH from unknown[78.128.113.116] Aug 7 14:25:29 senate postfix/smtpd[7936]: lost connection after AUTH from unknown[78.128.113.116] $ sudo grep blacklist /var/log/messages Aug 7 12:38:04 senate blacklistd[1955]: released 1.192.90.183/32:53 after 86400 seconds Aug 7 13:53:47 senate blacklistd[1955]: released 3.237.190.49/32:53 after 86400 seconds Aug 7 14:05:09 senate blacklistd[1955]: blocked 3.235.107.224/32:53 for 86400 seconds $ sudo blacklistctl dump -ab address/ma:port id nfail last access 89.248.167.135/32:53 1/3 2020/08/07 02:23:22 195.144.21.56/32:53 1/3 2020/08/07 06:57:38 146.88.240.15/32:53 1/3 2020/08/06 16:39:09 3.235.107.224/32:53 3 3/3 2020/08/07 14:05:09 146.88.240.128/32:53 2/3 2020/08/06 21:51:36 2001:bc8:234c:1/128:22 1/3 2020/08/06 16:21:34 71.6.232.7/32:53 1/3 2020/08/07 05:42:50 80.82.65.90/32:53 2/3 2020/08/06 18:25:48 74.82.47.2/32:53 1/3 2020/08/07 02:42:22 146.88.240.4/32:53 1/3 2020/08/06 16:22:46 193.29.15.169/32:53 2/3 2020/08/06 18:54:24 185.232.65.36/32:53 1/3 2020/08/06 22:06:34 192.35.168.251/32:53 1/3 2020/08/07 01:58:55 185.50.66.1/32:53 1/3 2020/08/07 12:52:59 smtpd is indeed linked over libblacklist: $ ldd /usr/libexec/postfix/smtpd |grep black -lblacklist.0 => /usr/lib/libblacklist.so.0 Anything I am missing here? Thanks, Emile `iMil' Heitor | https://imil.net !DSPAM:5f2d57f9205059030080223!