On Wed, 1 Sep 2021, Leandro Santiago wrote:
Hey All,
Looks like my original mail from Hadmut got eaten by voracious
thread-cleaning. Sorry for the top post.
I use sendmail in my daily life, not postfix, but I have a ~100 line perl
script that basically:
Looks for:
Sep 1 06:51:42 <mail.info> prime sm-mta[66779]:
181DpU3N066779: [5.188.206.156] did not issue MAIL/EXPN/VRFY/ETRN during
connection to MSA"
..grabs the IP address and stuffs it into a hash table.
..counts up the number of entries...
..and if it's over some threshold, adds it to ipfw, and also complains to
the ISP via abusix.org's lookup service, cc'ing me. If there's twelve
IPs, they get twelve emails -- the script doesn't aggregate.
(and if it finds it in ipfw already it won't try to re-block or
re-complain)
You'd have to look for postfix's error message, but your tools here could
be as simple as tail, grep and sort
I haven't automated this for fear of shooting myself in the foot, but I'm
happy to share the script off-list. It's quick and hacky so I haven't
bothered sticking it up on like, Github or something.
Best,
-Dan
Hi Hadmut (and list :-)),
I've been part of a team working on an open source monitoring tool
specialized on Postfix called Lightmeter and one of the features we are
working at the moment are brute force attack analysis.
We are on early development stages of the feature, looking for feedback and
suggestions.
Our approach consists on analyzing activity contributed by multiple users for
local and global patterns and sources of attacks, ultimately automating the
blocking of such sources as preventive measure.
At the moment we use the Postfix log files to analyze such activity.
The logs are processed by Lightmeter locally and some compiled data from it
sent to our servers for the analysis.
On the past days we've been doing some experiments and implemented a simple
visualization tool into Lightmeter that shows failed authentication attempts
over time, alongside with their IP addresses.
It's a very simple feature for now, as we plan to continue iterating to
improve it.
I've recorded a short video [1] showing how the feature looks at the moment.
It's not yet released, but the source code is available on our repository
[2].
The ideas we are evaluating and experimenting are:
- Providing ways to automatically detect potential (and successful, if we
miss them) attacks, notifying the sysadmin about such breaches in real time.
- Automatically blocklisting the detected IP addresses.
- Providing a tool for allowlisting IP addresses previously blocked.
- Detect that connections from multiple origins are part of the same attack
attempts, potentially uncovering different organizations and IP groups often
used by attacks.
- Jump to the log line relative to that connection when clicking on a
connection in the graph, for detailed analysis. This is done using an
embedded log viewer.
We would be glad if you folks could test the feature and let us know your
thoughts, concerns, wishes, ideas for improvement or feedback in general.
[1] https://www.youtube.com/watch?v=r2l-xF-8zJE
[2] https://gitlab.com/lightmeter/controlcenter/
On 7/30/21 4:49 PM, Hadmut Danisch wrote:
Hi,
we are experiencing permanent high traffic from numerous sites trying to
smtp auth to our postfix node, obviously trying to brute force password
dictionaries against mail address lists probably taken from spam lists
(including lots of oder message ids with the same syntax as mail
addresses).
For some reason beyond the common noise we need to do some deeper
analysis about who is trying which user account from where.
Unfortunately, the required data, i.e. client IP address and username
are distributed in different log files. The IP address is written to
postfix's log, while the username is in saslauthd's log in case of
failure, with the time stamp as the only link between both.
Is there some best current practice or recommended log config to analyze
persistent login attempts?
(We are considering to limit smtp auth to the submission port 587 and
have a blacklist for that in the firewall, but maintaining such a
blacklist still requires to understand, who is attacking and how.)
regards
Hadmut
--
"This Is Not Goodbye!"
-DM, August 11th 2001, 10 PMish Chicago Time
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
FB: fb.com/DanielMahoneyIV
LI: linkedin.com/in/gushi
Site: http://www.gushi.org
---------------------------
