[pfx] Re: Postfix: running a script on authentication failure

Thu, 22 Jun 2023 05:16:05 -0700 

Am 22.06.2023 um 13:58 schrieb André Rodier via Postfix-users:

Hello, all.
I just set-up a new server, running postfix, with submission(s) activated on standard ports (587, 465)
Shortly after it has been setup, I see brute force attacks (not surprising) from a whole /24 network (more surprising).
I carefully checked the logs, and see the modus operandi, which basically loop across the IP addresses in the network, to avoid being blacklisted by tools like fail2ban. And it is true, even with fail2ban activated, no IP is blacklisted.
By activating verbose logging, I see multiple user names are tried, not only passwords.
Is there any way, with postfix, to run a script on authentication failure, with information like the IP address and the 
username passed, for instance.

I basically need features that fail2ban doesn't offer
- I would like to not rely on reading logs, removing one step and acting more pro-actively. - If a script is called on authentication failure, it is fairly easy to use a Levenshtein distance to differentiate 
between a user having lost his password and a brute force attack.
- If I log all the failure in a database, with the IP address, and the whois information, the script would take decision 
according to the whois information.

What are you using on your side ?
- Do you know any service, that I could use, to get the network to ban from an IP address reputation, something like 
crowdsec, for instance ?
- Anyone has success with Suricata, Snort, or a tool like this ?
Please, do not suggest third party hosted services, I want to be part of my self-hosting solution. 

Kind regards,
André


_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org


postfix/dovecot uses syslog so action can be taken

see

https://blog.schaal-24.de/firewall/postfix-postscreen-ip-in-die-firewall-eintragen/

thinkable spread the action via ssh on other servers in your cluster

you can also use iptables recent to be faster




--
[*] sys4 AG

https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to