On 23/05/24 10:33, Northwind via Postfix-users wrote:
Hello list,
In the last two days, my mail system (small size) met attacks.
mail.log shows a lot of this stuff:
May 23 06:24:29 mx postfix/smtpd[2655149]: warning:
unknown[194.169.175.17]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 23 06:24:37 mx postfix/smtps/smtpd[2655958]: warning:
unknown[111.53.52.116]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 23 06:24:37 mx postfix/smtpd[2655819]: warning:
unknown[194.169.175.20]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 23 06:24:40 mx postfix/smtpd[2655040]: warning:
unknown[194.169.175.17]: SASL LOGIN authentication failed: Connection
lost to authentication server
May 23 06:24:50 mx postfix/smtps/smtpd[2656489]: warning:
unknown[105.16.161.35]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 23 06:24:52 mx postfix/smtps/smtpd[2655958]: warning:
unknown[59.0.60.158]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 23 06:24:54 mx postfix/smtps/smtpd[2656433]: warning:
unknown[218.3.137.193]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 23 06:24:56 mx postfix/smtpd[2655730]: warning:
unknown[194.169.175.20]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 23 06:24:58 mx postfix/smtpd[2654836]: warning:
unknown[194.169.175.17]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
And fail2ban has dropped 2000+ black IPs:
$ sudo iptables -L -n|grep DROP|wc -l
2614
The attack continues at this time.
My questions are:
1. what's the purpose of this kind of attack? Brute force password
cracking, or DDoS?
Likely brute force.
2. How to strengthen email system security to stop this?
Well you're already using fail2ban which is a good start.
You can enforce good password policies )password strength).
Things of note from the log entries above:
1/2 of the entries are from the smtp (port 25) service. This service
should be for MX communication only and should not accept
pauthentication. You can eliminate 1/2 of the attempts just by
disabling authentication on port 25.
All of these entries are using the LOGIN mech. Unless you have an
extremely old outlook express MUA (or similar) you xan and should be
using the PLAIN mech. You can eliminate all of the above attacks by
removing LOGIN from the list of mechs you accept.
You can implement a policy daemon (such as postfwd) which can add limits
to help in case a password does get found. This can shut down a user
account before it gets used to send too much SPAM.
If you know that all of your users will originate in a certain country
or countries, you can use Geo-IP filtering to limit submission
connections to those countries. Note be careful not to block port 25
connections with this and realize that if you or your users ever intend
to do any travelling this could be problematic.
Peter
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
