Discussion:
Brutal attacks
(too old to reply)
Lefteris Tsintjelis
2016-07-09 17:40:37 UTC
Permalink
Is this a good postfix way to stall attackers (besides log parsing and
fire walling)? Bots are increasing dramatically these days
smtpd_soft_error_limit = 1
smtpd_hard_error_limit = 1
smtpd_error_sleep_time = 16s (or even more)
as i had that over years ...

firewalling ist the best solution
something like

https://sys4.de/de/blog/2012/12/28/botnets-mit-rsyslog-und-iptables-recent-modul-abwehren/

https://sys4.de/de/blog/2014/03/27/fighting-smtp-auth-brute-force-attacks/

https://sys4.de/de/blog/2015/11/07/abwehr-des-botnets-pushdo-cutwail-ehlo-ylmf-pc-mit-iptables-string-recent-smtp/

additional fail2ban, but log parse was to slow at my side
and for sure use postscreen

if they love you , dont expect any better time with whatever solution
you use, but if youre in luck its only a wave

———

They don’t just love me, they adore me but I think this is everywhere now days. I am trying to avoid firewalls but there doesn’t seem to be any other way anymore. Thank you for the links and hints
l***@lazygranch.com
2016-07-09 15:44:41 UTC
Permalink
Isn't a flood attack more likely? I would look into the rate limiting. 

I used a script to flood the server and the limiting does  kick in. 

I also tried dumping random text at the mail port and it eventually makes some funny comment then stops listening.

There doesn't seem to be much mail server pentest programming available.



  Original Message  
From: Lefteris Tsintjelis
Sent: Saturday, July 9, 2016 8:07 AM
To: postfix-***@postfix.org
Subject: Brutal attacks

Is this a good postfix way to stall attackers (besides log parsing and
fire walling)? Bots are increasing dramatically these days

smtpd_soft_error_limit = 1
smtpd_hard_error_limit = 1
smtpd_error_sleep_time = 16s (or even more)
Robert Schetterer
2016-07-09 16:34:39 UTC
Permalink
Is this a good postfix way to stall attackers (besides log parsing and
fire walling)? Bots are increasing dramatically these days
smtpd_soft_error_limit = 1
smtpd_hard_error_limit = 1
smtpd_error_sleep_time = 16s (or even more)
as i had that over years ...

firewalling ist the best solution
something like

https://sys4.de/de/blog/2012/12/28/botnets-mit-rsyslog-und-iptables-recent-modul-abwehren/

https://sys4.de/de/blog/2014/03/27/fighting-smtp-auth-brute-force-attacks/

https://sys4.de/de/blog/2015/11/07/abwehr-des-botnets-pushdo-cutwail-ehlo-ylmf-pc-mit-iptables-string-recent-smtp/

additional fail2ban, but log parse was to slow at my side
and for sure use postscreen

if they love you , dont expect any better time with whatever solution
you use, but if youre in luck its only a wave

Best Regards
MfG Robert Schetterer
--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
Allen Coates
2016-07-09 17:17:26 UTC
Permalink
Limiting the number of simultaneous connections will fend off an
attacker until fail2ban kicks in.

For my (domestic) server, I have in main.cf :-

smtpd_client_connection_count_limit = 2

This is inherited by postscreen, which does a good job of throwing out
surplus connections.

Again - appropriate to *MY* circumstances - I have an iptables rule,
limiting smtp connect requests to six a minute. For me, two messages
an hour and I am busy :-)

The soft- and hard-error limits need your attacker to make a mistake.
FWIW, I have :-

smtpd_error_sleep_time = 2s
smtpd_soft_error_limit = 3
smtpd_hard_error_limit = 6
smtpd_junk_command_limit = 2

They are not often invoked.

hope this helps

Allen C
Is this a good postfix way to stall attackers (besides log parsing and
fire walling)? Bots are increasing dramatically these days
smtpd_soft_error_limit = 1
smtpd_hard_error_limit = 1
smtpd_error_sleep_time = 16s (or even more)
Robert Schetterer
2016-07-09 19:55:27 UTC
Permalink
Post by Lefteris Tsintjelis
Is this a good postfix way to stall attackers (besides log parsing and
fire walling)? Bots are increasing dramatically these days
smtpd_soft_error_limit = 1
smtpd_hard_error_limit = 1
smtpd_error_sleep_time = 16s (or even more)
as i had that over years ...
firewalling ist the best solution
something like
https://sys4.de/de/blog/2012/12/28/botnets-mit-rsyslog-und-iptables-recent-modul-abwehren/
https://sys4.de/de/blog/2014/03/27/fighting-smtp-auth-brute-force-attacks/
https://sys4.de/de/blog/2015/11/07/abwehr-des-botnets-pushdo-cutwail-ehlo-ylmf-pc-mit-iptables-string-recent-smtp/
additional fail2ban, but log parse was to slow at my side
and for sure use postscreen
if they love you , dont expect any better time with whatever solution
you use, but if youre in luck its only a wave
———
They don’t just love me, they adore me but I think this is everywhere now days. I am trying to avoid firewalls but there doesn’t seem to be any other way anymore. Thank you for the links and hints
i have one domain ,brutal shooted by bots for now over 10 years, all the
time, if i ever dont need it anymore i will use it as spamtrap *g, other
domains are attacked in waves



Best Regards
MfG Robert Schetterer
--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
Benning, Markus
2016-07-11 06:58:29 UTC
Permalink
Post by Lefteris Tsintjelis
additional fail2ban, but log parse was to slow at my side
and for sure use postscreen
Its possible to trigger fail2ban from a policyd:

https://www.mtpolicyd.org/documentation.html#Mail::MtPolicyd::Plugin::Fail2Ban


Markus
--
https://markusbenning.de/
Allen Coates
2016-07-11 09:25:22 UTC
Permalink
I found this in "man iptables-extensions"

<BEGIN QUOTE>
Examples:

# allow 2 telnet connections per client host

iptables -A INPUT -p tcp --syn --dport 23 -m connlimit
--connlimit-above 2 -j REJECT
<END QUOTE>

It could be adapted to offer basic DoS protection for postfix.

Unfortunately my MXhost does not have the extension module :-(

Allen C

Continue reading on narkive:
Loading...