Re: Brutal attacks
I found this in "man iptables-extensions" Examples: # allow 2 telnet connections per client host iptables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT It could be adapted to offer basic DoS protection for postfix. Unfortunately my MXhost does not have the extension module :-( Allen C
Re: Brutal attacks
On 2016-07-09 18:34, Robert Schetterer wrote: additional fail2ban, but log parse was to slow at my side and for sure use postscreen Its possible to trigger fail2ban from a policyd: https://www.mtpolicyd.org/documentation.html#Mail::MtPolicyd::Plugin::Fail2Ban Markus -- https://markusbenning.de/
Re: Brutal attacks
Am 09.07.2016 um 19:40 schrieb Lefteris Tsintjelis: > On 09 Jul 2016, at 19:34, Robert Schettererwrote: > > Am 09.07.2016 um 17:07 schrieb Lefteris Tsintjelis: >> Is this a good postfix way to stall attackers (besides log parsing and >> fire walling)? Bots are increasing dramatically these days >> >> smtpd_soft_error_limit = 1 >> smtpd_hard_error_limit = 1 >> smtpd_error_sleep_time = 16s (or even more) > > as i had that over years ... > > firewalling ist the best solution > something like > > https://sys4.de/de/blog/2012/12/28/botnets-mit-rsyslog-und-iptables-recent-modul-abwehren/ > > https://sys4.de/de/blog/2014/03/27/fighting-smtp-auth-brute-force-attacks/ > > https://sys4.de/de/blog/2015/11/07/abwehr-des-botnets-pushdo-cutwail-ehlo-ylmf-pc-mit-iptables-string-recent-smtp/ > > additional fail2ban, but log parse was to slow at my side > and for sure use postscreen > > if they love you , dont expect any better time with whatever solution > you use, but if youre in luck its only a wave > > ——— > > They don’t just love me, they adore me but I think this is everywhere now > days. I am trying to avoid firewalls but there doesn’t seem to be any other > way anymore. Thank you for the links and hints > i have one domain ,brutal shooted by bots for now over 10 years, all the time, if i ever dont need it anymore i will use it as spamtrap *g, other domains are attacked in waves Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG, 80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: Brutal attacks
On 09 Jul 2016, at 19:34, Robert Schettererwrote: Am 09.07.2016 um 17:07 schrieb Lefteris Tsintjelis: > Is this a good postfix way to stall attackers (besides log parsing and > fire walling)? Bots are increasing dramatically these days > > smtpd_soft_error_limit = 1 > smtpd_hard_error_limit = 1 > smtpd_error_sleep_time = 16s (or even more) as i had that over years ... firewalling ist the best solution something like https://sys4.de/de/blog/2012/12/28/botnets-mit-rsyslog-und-iptables-recent-modul-abwehren/ https://sys4.de/de/blog/2014/03/27/fighting-smtp-auth-brute-force-attacks/ https://sys4.de/de/blog/2015/11/07/abwehr-des-botnets-pushdo-cutwail-ehlo-ylmf-pc-mit-iptables-string-recent-smtp/ additional fail2ban, but log parse was to slow at my side and for sure use postscreen if they love you , dont expect any better time with whatever solution you use, but if youre in luck its only a wave ——— They don’t just love me, they adore me but I think this is everywhere now days. I am trying to avoid firewalls but there doesn’t seem to be any other way anymore. Thank you for the links and hints
Re: Brutal attacks
Limiting the number of simultaneous connections will fend off an attacker until fail2ban kicks in. For my (domestic) server, I have in main.cf :- smtpd_client_connection_count_limit = 2 This is inherited by postscreen, which does a good job of throwing out surplus connections. Again - appropriate to *MY* circumstances - I have an iptables rule, limiting smtp connect requests to six a minute.For me, two messages an hour and I am busy :-) The soft- and hard-error limits need your attacker to make a mistake. FWIW, I have :- smtpd_error_sleep_time = 2s smtpd_soft_error_limit = 3 smtpd_hard_error_limit = 6 smtpd_junk_command_limit = 2 They are not often invoked. hope this helps Allen C On 09/07/16 16:07, Lefteris Tsintjelis wrote: > Is this a good postfix way to stall attackers (besides log parsing and > fire walling)? Bots are increasing dramatically these days > > smtpd_soft_error_limit = 1 > smtpd_hard_error_limit = 1 > smtpd_error_sleep_time = 16s (or even more) >
Re: Brutal attacks
Am 09.07.2016 um 17:07 schrieb Lefteris Tsintjelis: > Is this a good postfix way to stall attackers (besides log parsing and > fire walling)? Bots are increasing dramatically these days > > smtpd_soft_error_limit = 1 > smtpd_hard_error_limit = 1 > smtpd_error_sleep_time = 16s (or even more) as i had that over years ... firewalling ist the best solution something like https://sys4.de/de/blog/2012/12/28/botnets-mit-rsyslog-und-iptables-recent-modul-abwehren/ https://sys4.de/de/blog/2014/03/27/fighting-smtp-auth-brute-force-attacks/ https://sys4.de/de/blog/2015/11/07/abwehr-des-botnets-pushdo-cutwail-ehlo-ylmf-pc-mit-iptables-string-recent-smtp/ additional fail2ban, but log parse was to slow at my side and for sure use postscreen if they love you , dont expect any better time with whatever solution you use, but if youre in luck its only a wave Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG, 80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: Brutal attacks
Isn't a flood attack more likely? I would look into the rate limiting. I used a script to flood the server and the limiting does kick in. I also tried dumping random text at the mail port and it eventually makes some funny comment then stops listening. There doesn't seem to be much mail server pentest programming available. Original Message From: Lefteris Tsintjelis Sent: Saturday, July 9, 2016 8:07 AM To: postfix-users@postfix.org Subject: Brutal attacks Is this a good postfix way to stall attackers (besides log parsing and fire walling)? Bots are increasing dramatically these days smtpd_soft_error_limit = 1 smtpd_hard_error_limit = 1 smtpd_error_sleep_time = 16s (or even more)