Re: blacklistd not reacting to postfix/smtpd AUTH failures
On 8/10/20 7:22 AM, Christos Zoulas wrote:
Can you try this?
christos
Index: smtpd.c
===
RCS file: /cvsroot/src/external/ibm-public/postfix/dist/src/smtpd/smtpd.c,v
retrieving revision 1.17
diff -u -u -r1.17 smtpd.c
--- smtpd.c 18 Mar 2020 19:05:20 - 1.17
+++ smtpd.c 10 Aug 2020 14:21:48 -
@@ -5795,6 +5795,8 @@
|| strcmp(state->reason, REASON_LOST_CONNECTION)) {
msg_info("%s after %s from %s",
state->reason, state->where, state->namaddr);
+ if (strcmp(state->where, SMTPD_CMD_AUTH) == 0)
+ pfilter_notify(1, vstream_fileno(state->client));
}
}
For what it's worth (a month later), this patch seems to catch more of
the untoward behavior I'm wanting to block. within an hour of
installing it, I have one address blocked and a couple on their way...
+j
Re: blacklistd not reacting to postfix/smtpd AUTH failures
In article ,
Emile `iMil' Heitor wrote:
>
>Hi,
>
>On this machine:
>
>NetBSD senate.imil.net 9.0 NetBSD 9.0 (GENERIC) #0: Fri Feb 14 00:06:28
>UTC 2020
>mkre...@mkrepro.netbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC amd64
>
>I have the following setup:
>
>$ cat /etc/blacklistd.conf
>[local]
>domain dgram * * * 3 24h
>smtpstream * * * 3 24h
>submission stream * * * 3 24h
>imaps stream * * * 3 24h
>ssh stream * * * 3 24h
>
>$ cat /etc/npf.conf
>
>$ext = vioif0
>
>set bpf.jit on;
>alg "icmp"
>
>table type ipset file "/etc/npf_blacklist"
>
>group "external" on $ext {
> ruleset "blacklistd"
> block in final from
> pass final all
>}
>
>group default {
> pass final all
>}
>
>This works, i.e. blocks bruteforce attempts on ports 53 and 22, but
>authentication failures on port 25 are not catched and thus no blacklisting
>takes place:
>
>$ sudo grep AUTH /var/log/maillog|tail -6
>Aug 7 14:17:08 senate postfix/smtpd[16590]: lost connection after AUTH
>from unknown[78.128.113.116]
>Aug 7 14:25:11 senate postfix/smtpd[3931]: lost connection after AUTH
>from unknown[78.128.113.116]
>Aug 7 14:25:16 senate postfix/smtpd[3931]: lost connection after AUTH
>from unknown[78.128.113.116]
>Aug 7 14:25:21 senate postfix/smtpd[7936]: lost connection after AUTH
>from unknown[78.128.113.116]
>Aug 7 14:25:25 senate postfix/smtpd[3931]: lost connection after AUTH
>from unknown[78.128.113.116]
>Aug 7 14:25:29 senate postfix/smtpd[7936]: lost connection after AUTH
>from unknown[78.128.113.116]
>
>$ sudo grep blacklist /var/log/messages
>Aug 7 12:38:04 senate blacklistd[1955]: released 1.192.90.183/32:53
>after 86400 seconds
>Aug 7 13:53:47 senate blacklistd[1955]: released 3.237.190.49/32:53
>after 86400 seconds
>Aug 7 14:05:09 senate blacklistd[1955]: blocked 3.235.107.224/32:53 for
>86400 seconds
>
>$ sudo blacklistctl dump -ab
> address/ma:port id nfail last access
> 89.248.167.135/32:53 1/3 2020/08/07 02:23:22
> 195.144.21.56/32:53 1/3 2020/08/07 06:57:38
> 146.88.240.15/32:53 1/3 2020/08/06 16:39:09
> 3.235.107.224/32:53 3 3/3 2020/08/07 14:05:09
> 146.88.240.128/32:53 2/3 2020/08/06 21:51:36
>2001:bc8:234c:1/128:22 1/3 2020/08/06 16:21:34
> 71.6.232.7/32:53 1/3 2020/08/07 05:42:50
> 80.82.65.90/32:53 2/3 2020/08/06 18:25:48
> 74.82.47.2/32:53 1/3 2020/08/07 02:42:22
>146.88.240.4/32:53 1/3 2020/08/06 16:22:46
> 193.29.15.169/32:53 2/3 2020/08/06 18:54:24
> 185.232.65.36/32:53 1/3 2020/08/06 22:06:34
> 192.35.168.251/32:53 1/3 2020/08/07 01:58:55
> 185.50.66.1/32:53 1/3 2020/08/07 12:52:59
>
>smtpd is indeed linked over libblacklist:
>
>$ ldd /usr/libexec/postfix/smtpd |grep black
> -lblacklist.0 => /usr/lib/libblacklist.so.0
>
>Anything I am missing here?
Can you try this?
christos
Index: smtpd.c
===
RCS file: /cvsroot/src/external/ibm-public/postfix/dist/src/smtpd/smtpd.c,v
retrieving revision 1.17
diff -u -u -r1.17 smtpd.c
--- smtpd.c 18 Mar 2020 19:05:20 - 1.17
+++ smtpd.c 10 Aug 2020 14:21:48 -
@@ -5795,6 +5795,8 @@
|| strcmp(state->reason, REASON_LOST_CONNECTION)) {
msg_info("%s after %s from %s",
state->reason, state->where, state->namaddr);
+ if (strcmp(state->where, SMTPD_CMD_AUTH) == 0)
+ pfilter_notify(1, vstream_fileno(state->client));
}
}
Re: blacklistd not reacting to postfix/smtpd AUTH failures
On Fri, 7 Aug 2020, Martin Neitzel wrote:
You have to check the smtpd source to see if blacklist{,_r,_sa}
could be called at the point where the issue is logged.
Indeed the source code delivered. It suggests the notification should be
triggered when the auth attempt reach the smtpd_hard_error_limit:
if (state->error_count >= var_smtpd_hard_erlim) {
state->reason = REASON_ERROR_LIMIT;
state->error_mask |= MAIL_ERROR_PROTOCOL;
smtpd_chat_reply(state, "421 4.7.0 %s Error: too many errors",
var_myhostname);
pfilter_notify(1, vstream_fileno(state->client));
break;
}
Which I had not set in the main.cf file. After setting it to 5, failed attempts
would be sent to blacklistd:
$ postconf smtpd_hard_error_limit
smtpd_hard_error_limit = 5
$ sudo blacklistctl dump -ab|egrep '32:25'
186.159.2.57/32:25 1/3 2020/08/08 07:31:19
194.213.125.169/32:25 1/3 2020/08/08 07:17:08
185.4.44.60/32:25 1/3 2020/08/08 07:26:26
94.243.219.122/32:25 1/3 2020/08/08 07:21:28
202.40.186.26/32:25 1/3 2020/08/08 07:50:47
Maybe this should be documented...
More on connections limit http://www.postfix.org/TUNING_README.html#conn_limit
Emile `iMil' Heitor | https://imil.net
!DSPAM:5f2e3ea253355886372770!
Re: blacklistd not reacting to postfix/smtpd AUTH failures
iMil> smtpd is indeed linked over libblacklist:
iMil>
iMil> $ ldd /usr/libexec/postfix/smtpd |grep black
iMil> -lblacklist.0 => /usr/lib/libblacklist.so.0
iMil> Anything I am missing here?
A daemon may well notify blacklistd about a possible attack at some
places along the code path but not at others, even when an issue
gets logged at the "other" place. In particular, the blacklist(3)
API requires the connection to the client to be still active when
registering an mis-behavior. This is a bit stupid, IMHO, because
it prevents the blacklist registration of any clients which pull
out early.
I had noticed this with sshd: it just logged lots of "client closed
connection [preauth]" probes without notifying blacklistd. A look
into the sshd source showed that this was a case of "fd already
closed" and not fixable.
In fact, only allowing public key access kept many stupid clients
knocking at the door. Allowing password-based access gets rid of
them quickly because those attempts *do* trigger blacklistd.
You have to check the smtpd source to see if blacklist{,_r,_sa}
could be called at the point where the issue is logged.
Martin Neitzel
blacklistd not reacting to postfix/smtpd AUTH failures
Hi,
On this machine:
NetBSD senate.imil.net 9.0 NetBSD 9.0 (GENERIC) #0: Fri Feb 14 00:06:28 UTC
2020 mkre...@mkrepro.netbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC amd64
I have the following setup:
$ cat /etc/blacklistd.conf
[local]
domain dgram * * * 3 24h
smtpstream * * * 3 24h
submission stream * * * 3 24h
imaps stream * * * 3 24h
ssh stream * * * 3 24h
$ cat /etc/npf.conf
$ext = vioif0
set bpf.jit on;
alg "icmp"
table type ipset file "/etc/npf_blacklist"
group "external" on $ext {
ruleset "blacklistd"
block in final from
pass final all
}
group default {
pass final all
}
This works, i.e. blocks bruteforce attempts on ports 53 and 22, but
authentication failures on port 25 are not catched and thus no blacklisting
takes place:
$ sudo grep AUTH /var/log/maillog|tail -6
Aug 7 14:17:08 senate postfix/smtpd[16590]: lost connection after AUTH from
unknown[78.128.113.116]
Aug 7 14:25:11 senate postfix/smtpd[3931]: lost connection after AUTH from
unknown[78.128.113.116]
Aug 7 14:25:16 senate postfix/smtpd[3931]: lost connection after AUTH from
unknown[78.128.113.116]
Aug 7 14:25:21 senate postfix/smtpd[7936]: lost connection after AUTH from
unknown[78.128.113.116]
Aug 7 14:25:25 senate postfix/smtpd[3931]: lost connection after AUTH from
unknown[78.128.113.116]
Aug 7 14:25:29 senate postfix/smtpd[7936]: lost connection after AUTH from
unknown[78.128.113.116]
$ sudo grep blacklist /var/log/messages
Aug 7 12:38:04 senate blacklistd[1955]: released 1.192.90.183/32:53 after
86400 seconds
Aug 7 13:53:47 senate blacklistd[1955]: released 3.237.190.49/32:53 after
86400 seconds
Aug 7 14:05:09 senate blacklistd[1955]: blocked 3.235.107.224/32:53 for 86400
seconds
$ sudo blacklistctl dump -ab
address/ma:port id nfail last access
89.248.167.135/32:53 1/3 2020/08/07 02:23:22
195.144.21.56/32:53 1/3 2020/08/07 06:57:38
146.88.240.15/32:53 1/3 2020/08/06 16:39:09
3.235.107.224/32:53 3 3/3 2020/08/07 14:05:09
146.88.240.128/32:53 2/3 2020/08/06 21:51:36
2001:bc8:234c:1/128:22 1/3 2020/08/06 16:21:34
71.6.232.7/32:53 1/3 2020/08/07 05:42:50
80.82.65.90/32:53 2/3 2020/08/06 18:25:48
74.82.47.2/32:53 1/3 2020/08/07 02:42:22
146.88.240.4/32:53 1/3 2020/08/06 16:22:46
193.29.15.169/32:53 2/3 2020/08/06 18:54:24
185.232.65.36/32:53 1/3 2020/08/06 22:06:34
192.35.168.251/32:53 1/3 2020/08/07 01:58:55
185.50.66.1/32:53 1/3 2020/08/07 12:52:59
smtpd is indeed linked over libblacklist:
$ ldd /usr/libexec/postfix/smtpd |grep black
-lblacklist.0 => /usr/lib/libblacklist.so.0
Anything I am missing here?
Thanks,
Emile `iMil' Heitor | https://imil.net
!DSPAM:5f2d57f9205059030080223!
