On Thu, 2023-06-22 at 16:27 +0100, Nick Howitt via Fail2ban-users wrote:
>
>
> On 2023-06-22 12:58, André Rodier via Fail2ban-users wrote:
> > Hello, all.
> >
> > I just set-up a new server, running postfix, with submission(s)
> > activated on standard ports (587, 465)
> >
> > Shortly after it has been setup, I see brute force attacks (not
> > surprising) from a whole /24 network (more surprising).
> >
> > I carefully checked the logs, and see the modus operandi, which
> > basically loop across the IP addresses in the network,
> > to avoid being blacklisted by tools like fail2ban. And it is true,
> > even with fail2ban activated, no IP is blacklisted.
> >
> > By activating verbose logging, I see multiple user names are tried,
> > not only passwords.
> >
> > Is there any way, with postfix, to run a script on authentication
> > failure, with information like the IP address and the
> > username passed, for instance.
> >
> > I basically need features that fail2ban doesn't offer
> >
> > - I would like to not rely on reading logs, removing one step and
> > acting more pro-actively.
> > - If a script is called on authentication failure, it is fairly easy
> > to use a Levenshtein distance to differentiate
> > between a user having lost his password and a brute force attack.
> > - If I log all the failure in a database, with the IP address, and the
> > whois information, the script would take decision
> > according to the whois information.
> >
> > What are you using on your side ?
> >
> > - Do you know any service, that I could use, to get the network to ban
> > from an IP address reputation, something like
> > crowdsec, for instance ?
> > - Anyone has success with Suricata, Snort, or a tool like this ?
> >
> > Please, do not suggest third party hosted services, I want to be part
> > of my self-hosting solution.
> >
> > Kind regards,
> > André
>
> Are you sure the attacks are on port 465/587. All the big ones I used to
> see were on 25 with user/pass. There is still little action on 587 as
> far as I can see. There is a bit. I don't use 465.
>
> What I have done is come at it from a completely different angle. Don't
> allow authentication on 25! If anyone needs to authenticate they have to
> use 587. If you're lazy you can allow unauthenticated connections from
> your LAN to save reconfiguring all internal devices, but for external
> devices, port 587 only. You still leave 25 open as you need it to
> receive emails.
>
>
> _______________________________________________
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Yes, it is definitely happening on submission.

I will probably end-up using a VPN for submission and not expose these ports on internet.

Kind regards,
André