Re: Dictionary attacks
On Sun, 3 Nov 2019, Phil Stracchino wrote:
On 2019-11-03 14:21, Bernardo Reino wrote:
On Sun, 3 Nov 2019, Phil Stracchino wrote:
I've been thinking about setting up exactly such a thing myself. Trying
to figure out how to make fail2ban talk to a Shorewall firewall on a
different box is just too much of a pain for such a fundamentally simple
task. It's like trying to set up a CNC mill when all you actually want
to do is file 2mm off a strike plate.
If you can do it locally, you can do it remotely (via ssh), like:
ssh remote-box whatever_local_shorewall_command
I assumed that was the approach to use, but I found fail2ban's
configuration and documentation opaque and confusing, and couldn't find
a good how-to that explained how to set it up. It was enough of a
headache that I decided my time was probably better spent building
something simple and lightweight purpose-built to do exactly what I want
it to than in trying to figure out the right subset of many complex
configuration options for a tool designed to do a whole lot of things I
don't actually need it to do.
You can create a custom action like:
$ cat /etc/fail2ban/action.d/local_action.conf
[Definition]
actionban = /usr/local/sbin/fail2ban_action.sh add
actionunban = /usr/local/sbin/fail2ban_action.sh delete
actioncheck =
actionstart =
actionstop =
[Init]
$
(exactly as is, the "" will then be replaced by fail2ban with the IP
to be blocked/unblocked).
Then in /usr/local/sbin/fail2ban_action.sh you write whatever you need to
add or delete an IP from the filter.
In my case it is:
$ cat /usr/local/sbin/fail2ban_action.sh
#!/bin/sh
# nftables, set = fail2ban
nft $1 element inet filter fail2ban { $2 } 2>&1
exit 0
$
If the firewall were remote instead of local, I would just change the
nft invocation to "ssh firewall nft ..."
Once set, you only need to adapt your /etc/fail2ban/jail.local to use
--
banaction = local_action
--
(or whatever name you choose for the action .conf file)
and of course, if not done already, enable the [sasl] module, like:
--
[sasl]
enabled = true
port = smtp,smtps,submission
filter= postfix-sasl
logpath = /var/log/mail.log
--
Hope that helps!
Good luck.
Re: Cannot sign with DKIM on same-server web and mail
Sorry for the delay in replying. I've been looking at this and trying to make it work in my head, but keep coming up with DKIM running twice. Please bear with me. Your setup of... smtpd_milters = inet:localhost:10025, unix:spamass/spamass.sock non_smtpd_milters = inet:localhost:10025 ...suggests to me that the sequence of operation is DKIM followed by SPAMASS (both from smtpd_milters, assuming they run in sequence) followed by DKIM via pickup... And I see the flaw in that now! Pickup only gets run from sendmail which is called by content_filter OR by apache. So that now makes sense. Taken me hours to see that. :( So what I need is, as you said, to remove content_filter in master.cf and in main.cf to put in a new sequence... smtpd_milters = unix:/var/run/opendkim/opendkim.sock, unix:spamass/spamass.sock, unix:/var/run/clamav/clamav-milter.ctl, unix:/var/run/opendmarc/opendmarc.sock non_smtpd_milters = unix:/var/run/opendkim/opendkim.sock I assume I do not need to include dmarc in the non_smtpd_milters since it's outgoing only. Should I move dmarc between dkim and spamass in smtpd_milters? If the above is correct my remaining problem would be to determine which of the various spamassassin / spamass-milter / spamd file groups I have to set up and where to put the sock. Thanks for your input. Sorry I doubted you first posting. :( -- Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Re: Cannot sign with DKIM on same-server web and mail
@lbutlr wrote > On 01 Nov 2019, at 10:03, linkcheck < > postfix@.co > > wrote: >> Jaroslaw Rafa wrote > Apache should not be posting mail via pickup. Use an SMTP plugin that > authenticates just like anyone else. If the mail and web servers were separate I would agree but there is a lot of overhead in adding (eg) phpmail when all that is required is a simple non-authenticated posting into postfix's sendmail -- Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Re: Cannot sign with DKIM on same-server web and mail
Dnia 4.11.2019 o godz. 04:31:51 linkcheck pisze: > > Pickup only gets run from sendmail which is called by content_filter OR by > apache. So that now makes sense. Taken me hours to see that. :( > > So what I need is, as you said, to remove content_filter in master.cf and in > main.cf to put in a new sequence... Exactly :) That's the whole point of this setup - to avoid running pickup a second time. > I assume I do not need to include dmarc in the non_smtpd_milters since it's > outgoing only. Should I move dmarc between dkim and spamass in > smtpd_milters? I don't know as I don't use DMARC. I only DKIM sign outgoing mail, I don't verify DKIM nor DMARC on incoming mail. Just try what order works best. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub."
Re: Dictionary attacks
John Schmerold: What is the best way to protect against dictionary attacks in Postfix? Wietse Venema: Reportedly, fail2ban (no first-hand experience, because I have no SASL clients). On 03 Nov 2019, at 06:06, Wietse Venema wrote: Also, Postfix can rate-limit auth commands, on the assumption that good users don't make lots of repeated login attempts. Wietse htp://www.postfix.org/postconf.5.html#smtpd_client_auth_rate_limit smtpd_client_auth_rate_limit (default: 0) The maximal number of AUTH commands that any client is allowed to send to this service per time unit, regardless of whether or not Postfix actually accepts those commands. The time unit is specified with the anvil_rate_time_unit configuration parameter. On 03.11.19 06:39, @lbutlr wrote: That defaults to 60s so setting this to 3 would rate limit to three attempts per minute. That’s good to know. That might be useful, though I am not sure I am seeing very fast auth attempts. unfortunately, I do, multiple auth attempts from the same host to the same user, quick estimate says even 7 per minute. Apparently some clients don't keep smtp connections open in the background, so we must be very carefull here. Still, it certainly can’t hurt. I'm afraid it won't even help much - seems that dictionary attacks work much slower. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I'm not interested in your website anymore. If you need cookies, bake them yourself.
Re: Dictionary attacks
On 2019-11-04 03:32, Bernardo Reino wrote:
> You can create a custom action like:
> $ cat /etc/fail2ban/action.d/local_action.conf
> [Definition]
> actionban = /usr/local/sbin/fail2ban_action.sh add
> actionunban = /usr/local/sbin/fail2ban_action.sh delete
> actioncheck =
> actionstart =
> actionstop =
>
> [Init]
> $
>
> (exactly as is, the "" will then be replaced by fail2ban with the IP
> to be blocked/unblocked).
>
> Then in /usr/local/sbin/fail2ban_action.sh you write whatever you need to
> add or delete an IP from the filter.
>
> In my case it is:
>
> $ cat /usr/local/sbin/fail2ban_action.sh
> #!/bin/sh
>
> # nftables, set = fail2ban
> nft $1 element inet filter fail2ban { $2 } 2>&1
>
> exit 0
> $
>
> If the firewall were remote instead of local, I would just change the
> nft invocation to "ssh firewall nft ..."
>
> Once set, you only need to adapt your /etc/fail2ban/jail.local to use
>
> --
> banaction = local_action
> --
> (or whatever name you choose for the action .conf file)
>
> and of course, if not done already, enable the [sasl] module, like:
>
> --
> [sasl]
> enabled = true
> port = smtp,smtps,submission
> filter= postfix-sasl
> logpath = /var/log/mail.log
> --
>
> Hope that helps!
> Good luck.
>
Thanks for the mini-howto, Bernardo! I'll give it another try.
--
Phil Stracchino
Babylon Communications
ph...@caerllewys.net
p...@co.ordinate.org
Landline: +1.603.293.8485
Mobile: +1.603.998.6958
Re: Cannot sign with DKIM on same-server web and mail
Jaroslaw Rafa wrote > Dnia 4.11.2019 o godz. 04:31:51 linkcheck pisze: > I don't know as I don't use DMARC. I only DKIM sign outgoing mail, I don't > verify DKIM nor DMARC on incoming mail. Just try what order works best. Ok. Thanks for all the help. :) -- Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Re: Dictionary attacks
Matus UHLAR - fantomas writes: > I'm afraid it won't even help much - seems that dictionary attacks work much > slower. Not all of them are slow: Nov 5 06:19:35 mail postfix/smtpd[28906]: warning: AUTH command rate limit exceeded: 4 from unknown[106.58.210.27] for service smtp Nov 5 06:19:36 mail postfix/smtpd[29057]: warning: AUTH command rate limit exceeded: 5 from unknown[106.58.210.27] for service smtp Nov 5 06:24:50 mail postfix/smtpd[29584]: warning: AUTH command rate limit exceeded: 4 from unknown[45.82.153.76] for service smtps Nov 5 06:31:34 mail postfix/smtpd[29931]: warning: AUTH command rate limit exceeded: 4 from unknown[141.98.80.102] for service smtps Nov 5 06:31:34 mail postfix/smtpd[29932]: warning: AUTH command rate limit exceeded: 5 from unknown[141.98.80.102] for service smtps Nov 5 06:31:34 mail postfix/smtpd[29933]: warning: AUTH command rate limit exceeded: 6 from unknown[141.98.80.102] for service smtps Nov 5 06:31:34 mail postfix/smtpd[29929]: warning: AUTH command rate limit exceeded: 7 from unknown[141.98.80.102] for service smtps Nov 5 06:31:34 mail postfix/smtpd[29930]: warning: AUTH command rate limit exceeded: 8 from unknown[141.98.80.102] for service smtps Nov 5 06:31:34 mail postfix/smtpd[29934]: warning: AUTH command rate limit exceeded: 9 from unknown[141.98.80.102] for service smtps Nov 5 06:31:34 mail postfix/smtpd[29935]: warning: AUTH command rate limit exceeded: 10 from unknown[141.98.80.102] for service smtps Nov 5 06:31:38 mail postfix/smtpd[29933]: warning: AUTH command rate limit exceeded: 11 from unknown[141.98.80.102] for service smtps Nov 5 06:31:38 mail postfix/smtpd[29932]: warning: AUTH command rate limit exceeded: 12 from unknown[141.98.80.102] for service smtps Nov 5 06:31:39 mail postfix/smtpd[29931]: warning: AUTH command rate limit exceeded: 13 from unknown[141.98.80.102] for service smtps Best regards, Olivier --
redirect HOLD queue to alternate MTA??
Hello Everyone: I am using OpenDKIM/OpenDMARC as some sort of anti spam. The OpenDMARC could handle DMARC p=none or p=reject without any problem. But if p=quarantine,OpenDMARC just let the incoming mail goes to Postfix HOLD queue. Is it possible to let Postfix redirect incoming mail alternate MTA when it got smfir_quarantine by milter?? Thanks!! *** CONFIDENTIALITY NOTICE:This e-mail and any attachments are confidential and may be legally privileged. If you are not the intended recipient, (i) please do not read or disclose to others, and (ii) please notify immediately the sender by reply mail, and (iii) please delete all copies of the email from your system. Failure to follow this process may be unlawful. We greatly appreciate your cooperation.
