On Monday, January 06, 2014 11:40:02 post...@pupat-ghestem.net wrote:
> On 1/6/2014 5:32 PM, Mike McGinn wrote:
> > On Monday, January 06, 2014 10:12:38 Roland Plüss wrote:
> >> A couple of days ago my mail server got attacked by a spammer. As it
> >> looks like he managed to compromise the password of one of the users on
> >> the system and SASL authenticated using the account to send spam. I
> >> blocked the attacking IP and changed the password of the affected user.
> >> Still the spammer managed to send out quite a lot of mails because due
> >> to permit_sasl_authenticated letting him pass by. Now to deal with this
> >> situation in the future I would like to automatically lock down an
> >> account if an unusual amount of mails are sent like 60 per minute or so.
> >> I could though not figure out if postfix is able to do this or how to
> >> get this done. Any ideas?
> > 
> > Welcome to the club.
> > I had an account get compromised on Christmas Day and got my server
> > blacklisted. Changed the password.
> > 
> > Now in my dovecot logs I see login for this account from various IP
> > addresses in Russia and the former Soviet republics. These seem to be
> > from some sort of botnet as they come in bursts from different IP
> > addresses. I have been adding the CIDRs for these networks to my
> > firewall as they show up.
> > 
> > I am not a mail guy, but I find knowing how to use a firewall comes in
> > handy.
> 
> I use fail2ban to block bots trying to guess passwords. Any IP that
> enters a wrong password more than a certain number of time is banned for
> 10 minutes. Any such IP that gets banned too much this way gets banned
> for a week.
> 
> I get attempts from pretty much all over the world (US, Europe, Russia,
> China, India, ....)

I do not think that would work in this case. Here is a log segment:

Jan 06 15:39:54 auth-worker: Info: sql(x...@yyyy.com,178.125.1.161): Password 
mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5)
Jan 06 15:39:56 auth-worker: Info: sql(x...@yyyy.com,92.112.9.115): Password 
mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5)
Jan 06 15:40:02 auth-worker: Info: sql(x...@yyyy.com,95.54.109.61): Password 
mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5)
Jan 06 15:40:09 auth-worker: Info: sql(x...@yyyy.com,176.36.143.102): Password 
mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5)
Jan 06 15:40:09 auth-worker: Info: sql(x...@yyyy.com,91.243.244.178): Password 
mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5)
Jan 06 15:40:13 auth-worker: Info: sql(x...@yyyy.com,178.125.123.37): Password 
mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5)
Jan 06 15:40:17 auth-worker: Info: sql(x...@yyyy.com,27.51.141.237): Password 
mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5)
Jan 06 15:40:26 auth-worker: Info: sql(x...@yyyy.com,178.159.84.173): Password 
mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5)
Jan 06 15:40:30 auth-worker: Info: sql(x...@yyyy.com,81.25.41.8): Password 
mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5)
Jan 06 15:40:31 auth-worker: Info: sql(x...@yyyy.com,81.190.37.211): Password 
mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5)
Jan 06 15:40:36 auth-worker: Info: sql(x...@yyyy.com,88.135.234.151): Password 
mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5)
Jan 06 15:40:38 auth-worker: Info: sql(x...@yyyy.com,92.47.194.87): Password 
mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5)
Jan 06 15:40:40 auth-worker: Info: sql(x...@yyyy.com,87.119.36.222): Password 
mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5)
Jan 06 15:40:46 auth-worker: Info: sql(x...@yyyy.com,109.254.192.87): Password 
mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5)
Jan 06 15:40:50 auth-worker: Info: sql(x...@yyyy.com,37.45.187.140): Password 
mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5)
Jan 06 15:40:54 auth-worker: Info: sql(x...@yyyy.com,5.199.239.94): Password 
mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5)
Jan 06 15:41:00 auth-worker: Info: sql(x...@yyyy.com,95.68.168.185): Password 
mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5)
Jan 06 15:41:06 auth-worker: Info: sql(x...@yyyy.com,93.89.218.239): Password 
mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5)
Jan 06 15:41:12 auth-worker: Info: sql(x...@yyyy.com,178.123.34.42): Password 
mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5)
Jan 07 15:41:19 auth-worker: Info: sql(x...@yyyy.com,95.81.253.200): Password 
mismatch (SHA1 of given password: 0a5e6fada9ce9f46726e7469f3c8c19bca7156d5)


-- 
Mike McGinn             KD2CNU
Ex Uno Plurima
No electrons were harmed in sending this message, some were inconvenienced.
** Registered Linux User 377849

Reply via email to