Re: Dealing with failed AUTH attempts/attacks

Sat, 20 Jun 2015 11:46:59 -0700 

Am 20.06.2015 um 20:23 schrieb Forrest:
How are others handling dictionary attacks (AUTH) with Postfix. For example: 


Jun 19 21:28:24 mail postfix/smtpd[32583]: connect from 
unknown[212.131.132.49]
Jun 19 21:28:24 mail postfix/smtpd[32583]: lost connection after AUTH 
from unknown[212.131.132.49]
Jun 19 21:28:24 mail postfix/smtpd[32583]: disconnect from 
unknown[212.131.132.49] ehlo=1 auth=0/1 commands=1/2
Jun 19 21:28:25 mail postfix/smtpd[32583]: connect from 
unknown[212.131.132.49]
Jun 19 21:28:25 mail postfix/smtpd[32583]: lost connection after AUTH 
from unknown[212.131.132.49]
Jun 19 21:28:25 mail postfix/smtpd[32583]: disconnect from 
unknown[212.131.132.49] ehlo=1 auth=0/1 commands=1/2
Jun 19 21:28:25 mail postfix/smtpd[32583]: connect from 
unknown[212.131.132.49]
Jun 19 21:28:26 mail postfix/smtpd[32583]: lost connection after AUTH 
from unknown[212.131.132.49]
Jun 19 21:28:26 mail postfix/smtpd[32583]: disconnect from 
unknown[212.131.132.49] ehlo=1 auth=0/1 commands=1/2
Jun 19 21:28:29 mail postfix/smtpd[32583]: connect from 
unknown[212.131.132.49]
Jun 19 21:28:30 mail postfix/smtpd[32583]: lost connection after AUTH 
from unknown[212.131.132.49]
Jun 19 21:28:30 mail postfix/smtpd[32583]: disconnect from 
unknown[212.131.132.49] ehlo=1 auth=0/1 commands=1/2
Jun 19 21:28:31 mail postfix/smtpd[32583]: connect from 
unknown[212.131.132.49]
Jun 19 21:28:32 mail postfix/smtpd[32583]: lost connection after AUTH 
from unknown[212.131.132.49]
Jun 19 21:28:32 mail postfix/smtpd[32583]: disconnect from 
unknown[212.131.132.49] ehlo=1 auth=0/1 commands=1/2
Jun 19 21:28:32 mail postfix/smtpd[32583]: connect from 
unknown[212.131.132.49]
Jun 19 21:28:32 mail postfix/smtpd[32583]: warning: Connection rate 
limit exceeded: 6 from unknown[212.131.132.49] for service smtp
Jun 19 21:28:32 mail postfix/smtpd[32583]: disconnect from 
unknown[212.131.132.49] ehlo=1 auth=0/1 commands=1/2




I've limited the number of connections, and I suppose I could just 
ignore these as they don't succeed.   I'm not sure it would be 
appropriate at the Postfix level to have something that rejects from 
that IP for X days, as that would be sorta outside the realm of MTA.   
I've heard of fail2ban, but I hesitate to further complicate my 
setup.  But I may need to compromise?


Input, suggestions welcomed.



Thanks.

Hi,

fail2ban maybe?

Greetings

Juergen






















					Reply via email to