On 2023-06-22 12:58, André Rodier via Fail2ban-users wrote:
Hello, all.

I just set-up a new server, running postfix, with submission(s)
activated on standard ports (587, 465)

Shortly after it has been setup, I see brute force attacks (not
surprising) from a whole /24 network (more surprising).

I carefully checked the logs, and see the modus operandi, which
basically loop across the IP addresses in the network,
to avoid being blacklisted by tools like fail2ban. And it is true,
even with fail2ban activated, no IP is blacklisted.

By activating verbose logging, I see multiple user names are tried,
not only passwords.

Is there any way, with postfix, to run a script on authentication
failure, with information like the IP address and the
username passed, for instance.

I basically need features that fail2ban doesn't offer

- I would like to not rely on reading logs, removing one step and
acting more pro-actively.
- If a script is called on authentication failure, it is fairly easy
to use a Levenshtein distance to differentiate
between a user having lost his password and a brute force attack.
- If I log all the failure in a database, with the IP address, and the
whois information, the script would take decision
according to the whois information.

What are you using on your side ?

- Do you know any service, that I could use, to get the network to ban
from an IP address reputation, something like
crowdsec, for instance ?
- Anyone has success with Suricata, Snort, or a tool like this ?

Please, do not suggest third party hosted services, I want to be part
of my self-hosting solution.

Kind regards,
André

Are you sure the attacks are on port 465/587. All the big ones I used to see were on 25 with user/pass. There is still little action on 587 as far as I can see. There is a bit. I don't use 465.

What I have done is come at it from a completely different angle. Don't allow authentication on 25! If anyone needs to authenticate they have to use 587. If you're lazy you can allow unauthenticated connections from your LAN to save reconfiguring all internal devices, but for external devices, port 587 only. You still leave 25 open as you need it to receive emails.
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Reply via email to