Am 06.01.2014 17:40, schrieb post...@pupat-ghestem.net: > On 1/6/2014 5:32 PM, Mike McGinn wrote: >> On Monday, January 06, 2014 10:12:38 Roland Plüss wrote: >>> A couple of days ago my mail server got attacked by a spammer. As it >>> looks like he managed to compromise the password of one of the users on >>> the system and SASL authenticated using the account to send spam. I >>> blocked the attacking IP and changed the password of the affected user. >>> Still the spammer managed to send out quite a lot of mails because due >>> to permit_sasl_authenticated letting him pass by. Now to deal with this >>> situation in the future I would like to automatically lock down an >>> account if an unusual amount of mails are sent like 60 per minute or so. >>> I could though not figure out if postfix is able to do this or how to >>> get this done. Any ideas? >> Welcome to the club. >> I had an account get compromised on Christmas Day and got my server >> blacklisted. Changed the password. >> >> Now in my dovecot logs I see login for this account from various IP >> addresses >> in Russia and the former Soviet republics. These seem to be from some >> sort of >> botnet as they come in bursts from different IP addresses. I have been >> adding >> the CIDRs for these networks to my firewall as they show up. >> >> I am not a mail guy, but I find knowing how to use a firewall comes in >> handy. >> > I use fail2ban to block bots trying to guess passwords. Any IP that > enters a wrong password more than a certain number of time is banned for > 10 minutes. Any such IP that gets banned too much this way gets banned > for a week. > > I get attempts from pretty much all over the world (US, Europe, Russia, > China, India, ....)
hacked accounts are mostly not based on password brute force attacks ( but agree fail2ban is good to fight it ), its more easy to infect some unpatched/undefended win client, or fish the password over uncrypted cons over wlan etc i.e with tablets, smartphones Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
