Cameron Camp wrote:
I've been happily using denyhosts for ssh brute force attacks,
1. What are best practices for the same functionality for Postfix
2. Are there "gotcha's" for trying to use denyhosts/fail2ban for this
3. Should I use something else?
I'd like to stop attacks at the iptable/tcpwrapper level before it eats
up postfix resources. Sorry if that has already been asked.
Best,
Cam
It works great! I've been using it for a while to catch dictionary
attacks and relay attempts.
I have this in /etc/fail2ban/filter.d:
failregex = reject: RCPT from (.*)\[<HOST>\]: 5
----------------------------------------------
and this in /etc/fail2ban/jail.conf:
[postfix]
enabled = true
filter = postfix
action = iptables-allports[name=postfix]
sendmail-whois[name=postfix, dest=r...@cnysupport.com,
sender=s...@cnysupport.com]
logpath = /var/log/maillog
maxretry = 6
Depending on how fast your email addresses change, 6 might be too low,
so you'll probably need to adjust it.
----------------------------------------------
which catches log entries like this:
Mar 2 19:24:40 wormhole postfix/smtpd[23869]: NOQUEUE: reject: RCPT
from unknown[122.110.167.253]: 554 5.7.1 <m...@headwa
ters.com>: Relay access denied; from=<cwall...@choirschool.org>
to=<m...@headwaters.com> proto=SMTP helo=<122.110.167.253.
optusnet.com.au>
Terry
