On 25/05/2024 20:50, John Hill via Postfix-users wrote:
On 5/25/24 11:22 AM, John Fawcett via Postfix-users wrote:
On 24/05/2024 03:03, John Hill via Postfix-users wrote:
I learn something every time I read this group, when I can keep up
with the conversation!
I had auth on ports I did not need. I use auth on submission port
587, for users access.
I do get a boat load of failed login attempts on 587. Funny how a
China, US, Argentina, you name it, hosts, will try the same failed
username password at nearly the same time.
Small world.
I use Fail2Ban to block the failed IP. The script writes it into the
nftables table immediately.
I think this keeps Postfix waiting and times out, not a big deal. Is
there a cli that my bash script could force disconnect the ip from
Postfix?
I did search the man page and the docs, sorry if I missed it.
Thanks
--john
Hi John
maybe controversial for use on the submission service, but a while
back I started using spamhaus xbl (the exploits data only, not the
PBL or spammer data) as the first check (reject_rbl_client) in
smtpd_client_restrictions for the submission service (on which I have
AUTH enabled only after STARTTLS). I saw two results
1. there are few illegitimate smtp auth attempts that aren't blocked
by XBL and end up trying the credentials
2. even the blocked traffic has fallen off to a small number of tries
per day (usually < 20).
Point 2 tends to indicate that the hacker scripts only start
hammering when they find an AUTH command enabled.
Fail2ban can still be used for the ips that get through, since then
they start hammering, but the cases are so limited I haven't bothered.
John
I use zen.spamhaus.net in postscreen.
postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11]
Is this the same thing?
--john
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
_______________________________________________
Postfix-users mailing list --postfix-users@postfix.org
To unsubscribe send an email topostfix-users-le...@postfix.org
postscreen is protecting the smtp service (port 25). I also use the zen
configuration you have above in postscreen, (i.e. including the other
data not just xbl) since I am more aggressive for smtp.
For submission I only use xbl (return code 127.0.0.4) excluding other
other data contained in zen like pbl that lists isp dynamic ip ranges
from which you would normally expect to get connections to submission.
For me it's safe to use xbl for submission since I don't want
connections from exploited machines and it cuts out most of the noise
and some of the risk from people hammering smtp auth. It won't fit
everyone's use case though.
John
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
