On 6 Jul 2020, at 3:33, Robert Chalmers (Author) wrote:
I’m getting lots and lots of these types of login attempts;
warning: unknown[45.125.65.52]: SASL LOGIN authentication failed:
UGFzc3dvcmQ6 (postfix log)
Info: pam(s...@robert-chalmers.uk,45.125.65.52): unknown user (given
password: sale01) (dovecot log)
and I’m wondering if there is someway - other than what I have - of
blocking them, or automatically adding their IP to a <badhosts> list
that I have for pfctl.
There certainly COULD be. I've set up a rather ugly log watcher with a
script that manages an ipfw firewall, so it doesn't take any
extraordinary skill...
This is a bit more of the Postfix log.
Jul 06 06:45:59 www postfix/smtpd[3643]: > unknown[45.125.65.52]: 334
VXNlcm5hbWU6
That looks like the port 25 instance of smtpd. Do you actually advertise
AUTH there and if so, why?Typically, an authenticating sender will want
to use the submission protocol on port 465 or 587. If you have those
configured and working, you probably don't have any need for AUTH on
port 25. Note that
Beyond that, 2 useful tools:
1. Postscreen (with the before-smtp checks only) rejecting clients in
the PSBL and Spamhaus XBL and those who talk before the banner is fully
sent. Note that in the example you gave, 45.125.65.52 is listed on both.
2. On ports 465 and 587 (as well as all the POP and IMAP ports, if
you're offering those on the same machine) you can probably safely
reject huge swaths of IP space before they get around to being attack
sources from all auth-required services. Doing this proactively yields
substantial results quickly. It isn't perfect because you need to know
where your users actually log in from, but it can reduce the volume of
attacks to a negligible level. I do this based on allocation blocks
(i.e. whois) and/or routes (i.e. pwhois) so I've ended up with a large
block of rules like this:
05000 deny tcp from 1.0.0.0/8 to any dst-port 110,143,465,587,993,995
05001 deny tcp from 2.0.0.0/7 to any dst-port 110,143,465,587,993,995
05002 deny tcp from 3.0.0.0/9 to any dst-port 110,143,465,587,993,995
05003 deny tcp from 5.0.0.0/8 to any dst-port 110,143,465,587,993,995
05004 deny tcp from 8.0.0.0/10 to any dst-port 110,143,465,587,993,995
[...]
05605 deny tcp from 216.154.192.0/20 to any dst-port
110,143,465,587,993,995
05606 deny tcp from 216.229.124.0/24 to any dst-port
110,143,465,587,993,995
05607 deny tcp from 217.0.0.0/8 to any dst-port 110,143,465,587,993,995
05608 deny tcp from 218.0.0.0/7 to any dst-port 110,143,465,587,993,995
05609 deny tcp from 220.0.0.0/6 to any dst-port 110,143,465,587,993,995
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not For Hire (currently)
