Postfix: running a script on authentication failure
Hello, all.
I just set-up a new server, running postfix, with submission(s) activated on standard ports (587, 465)
Shortly after it has been setup, I see brute force attacks (not surprising) from a whole /24 network (more surprising).
I carefully checked the logs, and see the modus operandi, which basically loop across the IP addresses in the network, to avoid being blacklisted by tools like fail2ban. And it is true, even with fail2ban activated, no IP is blacklisted.
By activating verbose logging, I see multiple user names are tried, not only passwords.
Is there any way, with postfix, to run a script on authentication failure, with information like the IP address and the username passed, for instance.
I basically need features that fail2ban doesn't offer
- I would like to not rely on reading logs, removing one step and acting more pro-actively.
- If a script is called on authentication failure, it is fairly easy to use a Levenshtein distance to differentiate between a user having lost his password and a brute force attack.
- If I log all the failure in a database, with the IP address, and the whois information, the script would take decision according to the whois information.
What are you using on your side ?
- Do you know any service, that I could use, to get the network to ban from an IP address reputation, something like crowdsec, for instance ?
- Anyone has success with Suricata, Snort, or a tool like this ?
Please, do not suggest third party hosted services, I want to be part of my self-hosting solution.
Kind regards, André
On 2023-06-22 12:58, André Rodier via Fail2ban-users wrote:
Hello, all.
I just set-up a new server, running postfix, with submission(s) activated on standard ports (587, 465)
Shortly after it has been setup, I see brute force attacks (not surprising) from a whole /24 network (more surprising).
I carefully checked the logs, and see the modus operandi, which basically loop across the IP addresses in the network, to avoid being blacklisted by tools like fail2ban. And it is true, even with fail2ban activated, no IP is blacklisted.
By activating verbose logging, I see multiple user names are tried, not only passwords.
Is there any way, with postfix, to run a script on authentication failure, with information like the IP address and the username passed, for instance.
I basically need features that fail2ban doesn't offer
- I would like to not rely on reading logs, removing one step and acting more pro-actively.
- If a script is called on authentication failure, it is fairly easy to use a Levenshtein distance to differentiate between a user having lost his password and a brute force attack.
- If I log all the failure in a database, with the IP address, and the whois information, the script would take decision according to the whois information.
What are you using on your side ?
- Do you know any service, that I could use, to get the network to ban from an IP address reputation, something like crowdsec, for instance ?
- Anyone has success with Suricata, Snort, or a tool like this ?
Please, do not suggest third party hosted services, I want to be part of my self-hosting solution.
Kind regards, André
Are you sure the attacks are on port 465/587. All the big ones I used to see were on 25 with user/pass. There is still little action on 587 as far as I can see. There is a bit. I don't use 465.
What I have done is come at it from a completely different angle. Don't allow authentication on 25! If anyone needs to authenticate they have to use 587. If you're lazy you can allow unauthenticated connections from your LAN to save reconfiguring all internal devices, but for external devices, port 587 only. You still leave 25 open as you need it to receive emails.
On Thu, 2023-06-22 at 16:27 +0100, Nick Howitt via Fail2ban-users wrote:
On 2023-06-22 12:58, André Rodier via Fail2ban-users wrote:
Hello, all.
I just set-up a new server, running postfix, with submission(s) activated on standard ports (587, 465)
Shortly after it has been setup, I see brute force attacks (not surprising) from a whole /24 network (more surprising).
I carefully checked the logs, and see the modus operandi, which basically loop across the IP addresses in the network, to avoid being blacklisted by tools like fail2ban. And it is true, even with fail2ban activated, no IP is blacklisted.
By activating verbose logging, I see multiple user names are tried, not only passwords.
Is there any way, with postfix, to run a script on authentication failure, with information like the IP address and the username passed, for instance.
I basically need features that fail2ban doesn't offer
- I would like to not rely on reading logs, removing one step and acting more pro-actively.
- If a script is called on authentication failure, it is fairly easy to use a Levenshtein distance to differentiate between a user having lost his password and a brute force attack.
- If I log all the failure in a database, with the IP address, and the whois information, the script would take decision according to the whois information.
What are you using on your side ?
- Do you know any service, that I could use, to get the network to ban from an IP address reputation, something like crowdsec, for instance ?
- Anyone has success with Suricata, Snort, or a tool like this ?
Please, do not suggest third party hosted services, I want to be part of my self-hosting solution.
Kind regards, André
Are you sure the attacks are on port 465/587. All the big ones I used to see were on 25 with user/pass. There is still little action on 587 as far as I can see. There is a bit. I don't use 465.
What I have done is come at it from a completely different angle. Don't allow authentication on 25! If anyone needs to authenticate they have to use 587. If you're lazy you can allow unauthenticated connections from your LAN to save reconfiguring all internal devices, but for external devices, port 587 only. You still leave 25 open as you need it to receive emails.
Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
Yes, it is definitely happening on submission.
I will probably end-up using a VPN for submission and not expose these ports on internet.
Kind regards, André
Is there any way, with postfix, to run a script on authentication failure, with information like the IP address and the username passed, for instance.
I wrote my own script for omprog which is part of rsyslog to read dovecot auth fails. Because postfix authenticates with dovecot and dovecot will log the auth failures.
If you don't know how omprog works, in concept it is "reading the logs", but in practice it gets loaded in memory by rsyslog and is feed log lines to parse in real time instead of continuously launching a new script instance to read over existing log entries.
My script parses the IP, username, and password sha1 hash to decide if the IP should be added to ipset. The password hash lets me know if someone is repeatedly trying the same password vs running through a dictionary attack.
Their is more and more reasons to use 3rd party network reputation at the authentication level. While our platforms have pretty sophisticated combination, that includes of course transparent 2FA, but a very granular set of rules for stopping BEC (Business Email Compromise), and dropping obvious attacks into the firewall (ipset) but not meaning to be blowing our own horn, just pointing out that while this problems is a multi-layer approach, there are SOME things everyone can do...
Use services like RATS-AUTH to block IPs that can safely be blocked as known hackers..
Use services like RATS-NULL (or SpamHaus DROP lists) right in the firewall level. There are SOME networks that should simply be 'unplugged'
Block authentication from certain cloud platforms
Very few mail servers have authentication from Azure, GoogleCloud, AWS, Digital Ocean and several others.. Your clients are using using their phones, offices, and home connections. You can always exempt blocking for the 'odd' client/customer IP that needs to relay from a cloud server.
- Turn off port 110 (well, all plain text authentication) 90% less email compromise reports when you do..
If you want more helpful tips, you can always ping me off list, and if I have time, can offer some advice. BEC compromise is still one of the biggest threats..
...
Nice to see Dovecot also following in our footsteps and looking at things like JA3 and other network level identifiers .. many windows botnets and routers botnets can be thwarted or at least identified without having to risk blocking shared IPs..
Fail2ban has been a great tool for many years for many people and purposes, but a lot more logic is needed now in that layer to safer block authentication attacks.
Hope this message helps members of the list. Some things should be made to help everyone, no matter what kind of email platform they use..
-- Michael, Happy Summer Solstice --eg.. IPs you can't block, but individual connections you can..
grep Marai mail.info | wc -l == 14485
On 2023-06-22 04:58, André Rodier via dovecot wrote:
Hello, all.
I just set-up a new server, running postfix, with submission(s) activated on standard ports (587, 465)
Shortly after it has been setup, I see brute force attacks (not surprising) from a whole /24 network (more surprising).
I carefully checked the logs, and see the modus operandi, which basically loop across the IP addresses in the network, to avoid being blacklisted by tools like fail2ban. And it is true, even with fail2ban activated, no IP is blacklisted.
By activating verbose logging, I see multiple user names are tried, not only passwords.
Is there any way, with postfix, to run a script on authentication failure, with information like the IP address and the username passed, for instance.
I basically need features that fail2ban doesn't offer
- I would like to not rely on reading logs, removing one step and acting more pro-actively.
- If a script is called on authentication failure, it is fairly easy to use a Levenshtein distance to differentiate between a user having lost his password and a brute force attack.
- If I log all the failure in a database, with the IP address, and the whois information, the script would take decision according to the whois information.
What are you using on your side ?
- Do you know any service, that I could use, to get the network to ban from an IP address reputation, something like crowdsec, for instance ?
- Anyone has success with Suricata, Snort, or a tool like this ?
Please, do not suggest third party hosted services, I want to be part of my self-hosting solution.
Kind regards, André
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
-- "Catch the Magic of Linux..."
Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.
participants (4)
-
André Rodier
-
dovecot@ptld.com
-
Michael Peddemors
-
Nick Howitt