Am 23.04.2012 06:50, schrieb Olivier Pavilla:
Hi everyone.
For several months my smtp is harassing by someone located in Taiwan.
This people is using any taiwanese IP.
My logs are ful with this something like this:
Apr 23 06:35:31 corellia postfix/smtpd[26906]: NOQUEUE: reject: RCPT
from unknown[113.116.186.27]: 554 5.7.1 <wa...@163.com>: Recipient
address rejected: Relay access denied; from=<p...@dumpsize.com>
to=<wa...@163.com> proto=ESMTP helo=<zyh-4b482e797ce>
Apr 23 06:35:31 corellia postfix/smtpd[26906]: warning: restriction
`reject_unauth_destination' after `check_relay_domains' is ignored
hello,
inetnum: 113.112.0.0 - 113.119.255.255
netname: CHINANET-GD
descr: CHINANET Guangdong province network
descr: Data Communication Division
descr: China Telecom
country: CN
i get on whois. so its china not taiwain ?
At least blocking all of Taiwanese IPs. Does anyone has idea to
counter
strike this people?
yes maybe,
stevan bajic showd me some ffective way to do this with fail2ban.
You can use "fail2ban" on Postfix, its just some modification:
In /etc/fail2ban/jail.conf do this:
[postfix-attack]
enabled = true
filter = yourdomain-postfix-attack
action = iptables-multiport[name=Postfix-Attacks,
port="smtp,ssmtp", protocol=tcp]
logpath = /var/log/messages
ignoreip = 127.0.0.1 xx.xxx.xxx.xxx/32
bantime = 240
maxretry = 3
In /etc/fail2ban/filter.d/yourdomain-postfix-attack.conf do this:
# Fail2Ban configuration file
#
# Author: Stevan Bajic <ste...@bajic.ch>
#
# $Revision: 1 $
#
[Definition]
# Option: failregex
# Notes.: regex to match various bad conditions for Postfix in the
logfile. The
# host must be matched by a group named "host". The tag
"<HOST>" can
# be used for standard IP/hostname matching and is only an
alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
failregex =
postfix/smtpd\[\d+\]:\s+warning:\s+Connection\s+rate\s+limit\s+exceeded:\s+[^\[]+\[<HOST>\]\s+for\s+service\s+smtp$
postfix/smtpd\[\d+\]:\s+(NOQUEUE:\s+)?reject:\s+(RCPT|HELO|EHLO|MAIL)\s+from\s+[^\[]+\[<HOST>\]:\s+(55[034]\s+|450\s+.*Client\s+host\s+rejected:\s+cannot\s+find\s+your\s+reverse\s+hostname|451\s+(4\.3\.5\s+)?Server\s+configuration\s+error\;\s+from=<.*>\s+to=<.*>\s+proto=.*\s+e?helo=<.*>\s*$|(55[04]|421)\s+[^:]+:\s+Recipient\s+address\s+rejected:\s+)
postfix/smtpd\[\d+\]:\s+lost\s+connection\s+after\s+\w\s+from\s+[^\[]+\[<HOST>\]$
postfix/smtpd\[\d+\]:\s+warning:\s+<HOST>:\s+hostname[^\s]+\s+verification\s+failed:\s+No\s+address\s+associated\s+with\s+hostname$
postfix/smtpd\[\d+\]:\s+lost\s+connection\s+after\s+DATA\s+\(0\s+bytes\)\s+from\s+[^\[]*\[<HOST>\]$
postfix/smtpd\[\d+\]:\s+too\s+many\s+errors\s+after\s+RCPT\s+from\s+[^\[]*\[<HOST>\]$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
you have to modify maybe the logpath in the above jail.conf by
"logpath".
Further, you can use "sqlgrey" or any other greylisting i think.
Maybe u have a look on "sqlgrey".
U can also use POSTSCREEN at the begin of the chain. Postscreen is very
good documented on postifx.org and well here in the list.
hope this helps you out a bit.
greetz from hamburg
marko
--
Olivier Pavilla
http://www.linux-squad.com
"Les fautes d'orthographes de mes propos sont sous licence Ane bâté
1.0"
