Dealing with failed AUTH attempts/attacks

Sat, 20 Jun 2015 11:25:44 -0700

How are others handling dictionary attacks (AUTH) with Postfix. For example:
Jun 19 21:28:24 mail postfix/smtpd[32583]: connect from unknown[212.131.132.49] Jun 19 21:28:24 mail postfix/smtpd[32583]: lost connection after AUTH from unknown[212.131.132.49] Jun 19 21:28:24 mail postfix/smtpd[32583]: disconnect from unknown[212.131.132.49] ehlo=1 auth=0/1 commands=1/2 Jun 19 21:28:25 mail postfix/smtpd[32583]: connect from unknown[212.131.132.49] Jun 19 21:28:25 mail postfix/smtpd[32583]: lost connection after AUTH from unknown[212.131.132.49] Jun 19 21:28:25 mail postfix/smtpd[32583]: disconnect from unknown[212.131.132.49] ehlo=1 auth=0/1 commands=1/2 Jun 19 21:28:25 mail postfix/smtpd[32583]: connect from unknown[212.131.132.49] Jun 19 21:28:26 mail postfix/smtpd[32583]: lost connection after AUTH from unknown[212.131.132.49] Jun 19 21:28:26 mail postfix/smtpd[32583]: disconnect from unknown[212.131.132.49] ehlo=1 auth=0/1 commands=1/2 Jun 19 21:28:29 mail postfix/smtpd[32583]: connect from unknown[212.131.132.49] Jun 19 21:28:30 mail postfix/smtpd[32583]: lost connection after AUTH from unknown[212.131.132.49] Jun 19 21:28:30 mail postfix/smtpd[32583]: disconnect from unknown[212.131.132.49] ehlo=1 auth=0/1 commands=1/2 Jun 19 21:28:31 mail postfix/smtpd[32583]: connect from unknown[212.131.132.49] Jun 19 21:28:32 mail postfix/smtpd[32583]: lost connection after AUTH from unknown[212.131.132.49] Jun 19 21:28:32 mail postfix/smtpd[32583]: disconnect from unknown[212.131.132.49] ehlo=1 auth=0/1 commands=1/2 Jun 19 21:28:32 mail postfix/smtpd[32583]: connect from unknown[212.131.132.49] Jun 19 21:28:32 mail postfix/smtpd[32583]: warning: Connection rate limit exceeded: 6 from unknown[212.131.132.49] for service smtp Jun 19 21:28:32 mail postfix/smtpd[32583]: disconnect from unknown[212.131.132.49] ehlo=1 auth=0/1 commands=1/2 



I've limited the number of connections, and I suppose I could just 
ignore these as they don't succeed.   I'm not sure it would be 
appropriate at the Postfix level to have something that rejects from 
that IP for X days, as that would be sorta outside the realm of MTA.   
I've heard of fail2ban, but I hesitate to further complicate my setup.  
But I may need to compromise?


Input, suggestions welcomed.



Thanks.






















					Reply via email to