Hi,
I have used fail2ban for a while, to block brute force attacks on ssh, imap(s) or submission(s) ports.
More because I wanted to reduce the noise in the logs rather than a fear of a broken password.
Then, with nftables, I realised you can achieve the same thing, as long as a TCP connection isn't close. This works very
well for SSH, but I then realised it works for a modern IMAP server that supports IDLE, since the connection is kept
open, for instance the excellent Dovecot mail server.
Here an example, of nftable ruleset, for dovecot imap(s):
table inet filter {
set banned_imap_ipv4 {
type ipv4_addr
flags dynamic,timeout
timeout 1d
}
set banned_imap_ipv6 {
type ipv6_addr
size 65535
flags dynamic,timeout
timeout 1d
}
chain input {
# Limit new imap connections ala fail2ban
meta nfproto ipv4 tcp dport imaps ct state new,untracked \
limit rate over 10/minute add @banned_imap_ipv4 { ip saddr }
meta nfproto ipv6 tcp dport imaps ct state new,untracked \
limit rate over 10/minute add @banned_imap_ipv6 { ip6 saddr }
# Reject the traffic explicitly
ip saddr @banned_imap_ipv4 tcp dport imaps reject with icmp type admin-prohibited
ip6 saddr @banned_imap_ipv6 tcp dport imaps reject with icmpv6 type admin-prohibited
tcp dport { imap, imaps } ct state new counter accept \
comment "Accept imap/imaps connections"
}
}
Surprisingly, this is working very well with Dovecot, and various modern clients like Evolution or Thunderbird, as well
as K9 on Android.
There is also a way to save the rules before restarting the firewall, which works very well as well:
# nft list set inet filter banned_imap_ipv4
table inet filter {
set banned_imap_ipv4 {
type ipv4_addr
size 65535
flags dynamic,timeout
timeout 1d
elements = { 162.142.125.214 timeout 1d expires 23h44m16s600ms }
}
}
Now, the question I have is this.
I can limit new TCP connections to a reasonable amount, like 10 per minute, because I know I will not try to send that
amount of emails from a single IP.
However, is there an option, in Postfix, to keep the TCP connection opened for submission(s) protocols (ports 465 or
587)
Thanks for your insights.