On 01 Sep 2013, at 09:00 , Charles Marcus CMarcus@Media-Brokers.com wrote:
On 2013-08-30 7:55 PM, Joseph Tam jtam.home@gmail.com wrote:
Michael Smith writes:
We're already running fail2ban, but it doesn't seem that effective against botnets, when they only do one attempt per IP.
Yeah, distributed BFDs are tough to block unless you can characterize the clients well.
Wonder if there's a way to leverage Stan Hoeppner's most excellent botnet killer to reject AUTHs from the same types of clients before they even try?
Looking at Stan's pcre file, it seems like it's a brilliant tool for anyone who is using an older version of postfix that does not support postscreen and cannot upgrade. Anyone using a postscreen-capable postfix should use postscreen with zen and would gain very little (if anything) from adding this.
Really, postscreen is the best thing to come along for postfix since... I dunno, auth?
As far as the botnets go, at a certain point it is essentially worrying about "too many notes". Yes, there's a lot of failed attempts in the logs, but that't the thing, they are FAILED attempts. postfix already does a good job of dealing with those (for example, anvil).
If there are so many bonnet connections that they are overwhelming your server and legitimate users can't login and legitimate email is being constantly and repeatedly temp-failed, then you start having to look into something else. But even if you are seeing thousands of connections a day, that is unlikely to affect your server.
Denyssh might be worth looking into, as I recall it has a feature to distribute a ban list which can be somewhat effective against botnets, if you are willing to trust the essentially crowd-sourced list of hosts to block. If your server is small and non-commercial, this might be acceptable. I'd be hesitant to do it otherwise. I'd probably end up doing it anyway, but I'd at least hesitate.
(I may be remembering something other than DenySsh)
-- "640K ought to be enough RAM for anybody." - Bill Gates, 1981