On 2 Apr 2019, at 8:10, James Brown wrote:
Thanks Esteban. I have fail2ban installed. Unfortunately each attempt
comes from a different IP (botnet I presume). I’m finding this all
the time now, so fail2ban seems to be no longer much use.
Was just hoping there was a Postfix or Dovecot setting I could use to
ignore these submission attempts.
While fail2ban with its stock config isn't going to help much, the
approach Michael suggested can work.
I use a more draconian but slower approach, with a custom log watcher
that immediately blocks any IP from touching relevant ports (110, 143,
465, 587, 993, and 995) if it fails an auth attempt in any /16 that has
not had a successful authentication in the past week. Those firewall
rules eventually age out if not hit. Once a week, I manually use those
automated rules to identify ranges at the RIR allocation block or
visible route level that will almost surely never legitimately attempt
mail auth on my system and ban them from those ports permanently. I also
have a simple web mechanism for users to punch an opening for their
current IP.
That is a reasonable fit for a small mail system. I don't think it would
be feasible with a large set of users, particularly heavy travelers or
people who frequently change devices (i.e. prone to auth failures from
unfamiliar networks) and who are mystified by the "URL knocking" trick.
When I first started this, the weekly triage & escalation was a
substantial chunk of work but after a year of adding new ranges as they
appear, I now have only a handful of probes per week to check out and
often no new larger blocks to shun.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole
