Re: Brutal attacks

2016-07-11 Thread Allen Coates 
I found this in  "man iptables-extensions"


 Examples:

# allow 2 telnet connections per client host
  
 iptables  -A  INPUT  -p  tcp  --syn  --dport  23  -m   connlimit 
--connlimit-above 2 -j REJECT


It could be adapted to offer basic DoS protection for postfix.

Unfortunately my MXhost does not have the extension module   :-(

Allen C

Re: Brutal attacks

2016-07-11 Thread Benning, Markus 

On 2016-07-09 18:34, Robert Schetterer wrote:

additional fail2ban, but log parse was to slow at my side
and for sure use postscreen


Its possible to trigger fail2ban from a policyd:

https://www.mtpolicyd.org/documentation.html#Mail::MtPolicyd::Plugin::Fail2Ban


Markus
--
https://markusbenning.de/

Re: Brutal attacks

2016-07-09 Thread Robert Schetterer 
Am 09.07.2016 um 19:40 schrieb Lefteris Tsintjelis:
> On 09 Jul 2016, at 19:34, Robert Schetterer  wrote:
> 
> Am 09.07.2016 um 17:07 schrieb Lefteris Tsintjelis:
>> Is this a good postfix way to stall attackers (besides log parsing and
>> fire walling)? Bots are increasing dramatically these days
>>
>> smtpd_soft_error_limit = 1
>> smtpd_hard_error_limit = 1
>> smtpd_error_sleep_time = 16s (or even more)
> 
> as i had that over years ...
> 
> firewalling ist the best solution
> something like
> 
> https://sys4.de/de/blog/2012/12/28/botnets-mit-rsyslog-und-iptables-recent-modul-abwehren/
> 
> https://sys4.de/de/blog/2014/03/27/fighting-smtp-auth-brute-force-attacks/
> 
> https://sys4.de/de/blog/2015/11/07/abwehr-des-botnets-pushdo-cutwail-ehlo-ylmf-pc-mit-iptables-string-recent-smtp/
> 
> additional fail2ban, but log parse was to slow at my side
> and for sure use postscreen
> 
> if they love you , dont expect any better time with whatever solution
> you use, but if youre in luck its only a wave
> 
> ———
> 
> They don’t just love me, they adore me but I think this is everywhere now 
> days. I am trying to avoid firewalls but there doesn’t seem to be any other 
> way anymore. Thank you for the links and hints
> 

i have one domain ,brutal shooted by bots for now over 10 years, all the
time, if i ever dont need it anymore i will use it as spamtrap *g, other
domains are attacked in waves



Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Brutal attacks

2016-07-09 Thread Lefteris Tsintjelis 
On 09 Jul 2016, at 19:34, Robert Schetterer  wrote:

Am 09.07.2016 um 17:07 schrieb Lefteris Tsintjelis:
> Is this a good postfix way to stall attackers (besides log parsing and
> fire walling)? Bots are increasing dramatically these days
> 
> smtpd_soft_error_limit = 1
> smtpd_hard_error_limit = 1
> smtpd_error_sleep_time = 16s (or even more)

as i had that over years ...

firewalling ist the best solution
something like

https://sys4.de/de/blog/2012/12/28/botnets-mit-rsyslog-und-iptables-recent-modul-abwehren/

https://sys4.de/de/blog/2014/03/27/fighting-smtp-auth-brute-force-attacks/

https://sys4.de/de/blog/2015/11/07/abwehr-des-botnets-pushdo-cutwail-ehlo-ylmf-pc-mit-iptables-string-recent-smtp/

additional fail2ban, but log parse was to slow at my side
and for sure use postscreen

if they love you , dont expect any better time with whatever solution
you use, but if youre in luck its only a wave

———

They don’t just love me, they adore me but I think this is everywhere now days. 
I am trying to avoid firewalls but there doesn’t seem to be any other way 
anymore. Thank you for the links and hints

Re: Brutal attacks

2016-07-09 Thread Allen Coates 
Limiting the number of simultaneous connections will fend off an
attacker until  fail2ban kicks in.

For my (domestic) server, I have in main.cf :-

smtpd_client_connection_count_limit = 2

This is inherited by postscreen,  which does a good job of throwing out
surplus connections.

Again - appropriate to *MY* circumstances  - I have an iptables rule,
limiting smtp connect requests to six a minute.For me, two messages
an hour and I am busy   :-)

The soft- and hard-error limits need your attacker to make a mistake. 
FWIW, I have :-

smtpd_error_sleep_time = 2s
smtpd_soft_error_limit = 3
smtpd_hard_error_limit = 6
smtpd_junk_command_limit = 2

They are not often invoked.

hope this helps

Allen C

On 09/07/16 16:07, Lefteris Tsintjelis wrote:
> Is this a good postfix way to stall attackers (besides log parsing and
> fire walling)? Bots are increasing dramatically these days
>
> smtpd_soft_error_limit = 1
> smtpd_hard_error_limit = 1
> smtpd_error_sleep_time = 16s (or even more)
>

Re: Brutal attacks

2016-07-09 Thread Robert Schetterer 
Am 09.07.2016 um 17:07 schrieb Lefteris Tsintjelis:
> Is this a good postfix way to stall attackers (besides log parsing and
> fire walling)? Bots are increasing dramatically these days
> 
> smtpd_soft_error_limit = 1
> smtpd_hard_error_limit = 1
> smtpd_error_sleep_time = 16s (or even more)

as i had that over years ...

firewalling ist the best solution
something like

https://sys4.de/de/blog/2012/12/28/botnets-mit-rsyslog-und-iptables-recent-modul-abwehren/

https://sys4.de/de/blog/2014/03/27/fighting-smtp-auth-brute-force-attacks/

https://sys4.de/de/blog/2015/11/07/abwehr-des-botnets-pushdo-cutwail-ehlo-ylmf-pc-mit-iptables-string-recent-smtp/

additional fail2ban, but log parse was to slow at my side
and for sure use postscreen

if they love you , dont expect any better time with whatever solution
you use, but if youre in luck its only a wave

Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Brutal attacks

2016-07-09 Thread lists 
Isn't a flood attack more likely? I would look into the rate limiting. 

I used a script to flood the server and the limiting does  kick in. 

I also tried dumping random text at the mail port and it eventually makes some 
funny comment then stops listening.

There doesn't seem to be much mail server pentest programming available.



  Original Message  
From: Lefteris Tsintjelis
Sent: Saturday, July 9, 2016 8:07 AM
To: postfix-users@postfix.org
Subject: Brutal attacks

Is this a good postfix way to stall attackers (besides log parsing and 
fire walling)? Bots are increasing dramatically these days

smtpd_soft_error_limit = 1
smtpd_hard_error_limit = 1
smtpd_error_sleep_time = 16s (or even more)