On Thu, 2023-06-22 at 16:27 +0100, Nick Howitt via Fail2ban-users wrote:
On 2023-06-22 12:58, André Rodier via Fail2ban-users wrote:
Hello, all.
I just set-up a new server, running postfix, with submission(s) activated on standard ports (587, 465)
Shortly after it has been setup, I see brute force attacks (not surprising) from a whole /24 network (more surprising).
I carefully checked the logs, and see the modus operandi, which basically loop across the IP addresses in the network, to avoid being blacklisted by tools like fail2ban. And it is true, even with fail2ban activated, no IP is blacklisted.
By activating verbose logging, I see multiple user names are tried, not only passwords.
Is there any way, with postfix, to run a script on authentication failure, with information like the IP address and the username passed, for instance.
I basically need features that fail2ban doesn't offer
- I would like to not rely on reading logs, removing one step and acting more pro-actively.
- If a script is called on authentication failure, it is fairly easy to use a Levenshtein distance to differentiate between a user having lost his password and a brute force attack.
- If I log all the failure in a database, with the IP address, and the whois information, the script would take decision according to the whois information.
What are you using on your side ?
- Do you know any service, that I could use, to get the network to ban from an IP address reputation, something like crowdsec, for instance ?
- Anyone has success with Suricata, Snort, or a tool like this ?
Please, do not suggest third party hosted services, I want to be part of my self-hosting solution.
Kind regards, André
Are you sure the attacks are on port 465/587. All the big ones I used to see were on 25 with user/pass. There is still little action on 587 as far as I can see. There is a bit. I don't use 465.
What I have done is come at it from a completely different angle. Don't allow authentication on 25! If anyone needs to authenticate they have to use 587. If you're lazy you can allow unauthenticated connections from your LAN to save reconfiguring all internal devices, but for external devices, port 587 only. You still leave 25 open as you need it to receive emails.
Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
Yes, it is definitely happening on submission.
I will probably end-up using a VPN for submission and not expose these ports on internet.
Kind regards, André