Discussion:
Brute force attacks in various ports
(too old to reply)
Lefteris Tsintjelis
2016-07-26 17:21:43 UTC
Permalink
Ever since postscreen is up and running I see very often from various IPs this:

Jul 26 20:05:25 mx postfix/smtps/smtpd[20590]: too many errors after AUTH from unknown[109.167.202.37]
Jul 26 20:05:25 mx postfix/smtps/smtpd[20590]: disconnect from unknown[109.167.202.37] ehlo=1 auth=0/1 commands=1/2
Jul 26 20:05:31 mx postfix/submission/smtpd[20597]: too many errors after AUTH from unknown[109.167.202.37]
Jul 26 20:05:31 mx postfix/submission/smtpd[20597]: disconnect from unknown[109.167.202.37] ehlo=2 starttls=1 auth=0/1 commands=3/4
Jul 26 20:05:36 mx postfix/smtps/smtpd[20600]: too many errors after AUTH from unknown[109.167.202.37]
Jul 26 20:05:36 mx postfix/smtps/smtpd[20600]: disconnect from unknown[109.167.202.37] ehlo=1 auth=0/1 commands=1/2
Jul 26 20:05:42 mx postfix/submission/smtpd[20605]: too many errors after AUTH from unknown[109.167.202.37]
Jul 26 20:05:42 mx postfix/submission/smtpd[20605]: disconnect from unknown[109.167.202.37] ehlo=2 starttls=1 auth=0/1 commands=3/4

Is there a way to deal with them?
Benny Pedersen
2016-07-26 17:36:40 UTC
Permalink
Post by Lefteris Tsintjelis
Is there a way to deal with them?
fail2ban based on pbl, but in fail2ban whitelist isp you have users in

its then a no maintaince localy
Lefteris Tsintjelis
2016-07-26 17:55:29 UTC
Permalink
Post by Benny Pedersen
fail2ban based on pbl, but in fail2ban whitelist isp you have users in
Is log parsing the only way?
Wietse Venema
2016-07-26 18:02:28 UTC
Permalink
Post by Lefteris Tsintjelis
Jul 26 20:05:25 mx postfix/smtps/smtpd[20590]: too many errors after AUTH from unknown[109.167.202.37]
fail2ban comes to mind.

Wietse
Robert Schetterer
2016-07-26 18:07:12 UTC
Permalink
Post by Lefteris Tsintjelis
Post by Benny Pedersen
fail2ban based on pbl, but in fail2ban whitelist isp you have users in
Is log parsing the only way?
fail2ban is a good choice

iptables with string and recent is another
way

like

https://sys4.de/de/blog/2015/11/07/abwehr-des-botnets-pushdo-cutwail-ehlo-ylmf-pc-mit-iptables-string-recent-smtp/

or

https://sys4.de/de/blog/2012/12/28/botnets-mit-rsyslog-und-iptables-recent-modul-abwehren/

but it may overkill your server and examples may not fit your problem
exactly


Best Regards
MfG Robert Schetterer
--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
Benny Pedersen
2016-07-26 18:35:33 UTC
Permalink
Post by Lefteris Tsintjelis
Post by Benny Pedersen
fail2ban based on pbl, but in fail2ban whitelist isp you have users in
Is log parsing the only way?
if you dont like maintained solutions yes

note keep a long blacklist time on pbl listnings

# postfix jail.d

[DEFAULT]

ignoreip = add you userss ips here

# for all
bantime = 86400
findtime = 600
maxretry = 1
action = shorewall-drop
logpath = /var/log/messages
logencoding = utf-8

[sbl_spamhaus_org]
enabled = false
filter = postfix_dnslog_sbl_spamhaus_org

[xbl_spamhaus_org]
enabled = false
filter = postfix_dnslog_xbl_spamhaus_org

[css_spamhaus_org]
enabled = false
filter = postfix_dnslog_css_spamhaus_org

[pbl_spamhaus_org]
enabled = true
filter = postfix_dnslog_pbl_spamhaus_org

# it can be combined into one rule with multiple filers

# postfix_dnslog_css_spamhaus_org.local

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 728 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
The
# host must be matched by a group named "host". The tag
"<HOST>" can
# be used for standard IP/hostname matching and is only an
alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = addr <HOST> listed by domain zen.spamhaus.org as 127.0.0.3

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
#ignoreregex = addr <HOST> listed by domain list.dnswl.org as
# addr <HOST> listed by domain swl.spamhaus.org as

ignoreregex =

# postfix_dnslog_pbl_spamhaus_org.local

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 728 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
The
# host must be matched by a group named "host". The tag
"<HOST>" can
# be used for standard IP/hostname matching and is only an
alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = addr <HOST> listed by domain zen.spamhaus.org as 127.0.0.10
addr <HOST> listed by domain zen.spamhaus.org as 127.0.0.11

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
# ignoreregex = addr <HOST> listed by domain list.dnswl.org as
# addr <HOST> listed by domain swl.spamhaus.org as

ignoreregex =

# postfix_dnslog_sbl_spamhaus_org.local

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 728 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
The
# host must be matched by a group named "host". The tag
"<HOST>" can
# be used for standard IP/hostname matching and is only an
alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = addr <HOST> listed by domain zen.spamhaus.org as 127.0.0.2

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
#ignoreregex = addr <HOST> listed by domain list.dnswl.org as
# addr <HOST> listed by domain swl.spamhaus.org as

ignoreregex =

# postfix_dnslog_xbl_spamhaus_org.local

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 728 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
The
# host must be matched by a group named "host". The tag
"<HOST>" can
# be used for standard IP/hostname matching and is only an
alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = addr <HOST> listed by domain zen.spamhaus.org as 127.0.0.4
addr <HOST> listed by domain zen.spamhaus.org as 127.0.0.5
addr <HOST> listed by domain zen.spamhaus.org as 127.0.0.6
addr <HOST> listed by domain zen.spamhaus.org as 127.0.0.7

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
#ignoreregex = addr <HOST> listed by domain list.dnswl.org as
# addr <HOST> listed by domain swl.spamhaus.org as

ignoreregex =


sorry for long posting
Lefteris Tsintjelis
2016-07-26 19:03:28 UTC
Permalink
Post by Benny Pedersen
Post by Lefteris Tsintjelis
Post by Benny Pedersen
fail2ban based on pbl, but in fail2ban whitelist isp you have users in
Is log parsing the only way?
if you dont like maintained solutions yes
note keep a long blacklist time on pbl listnings
Thank you

Loading...