Hi Davide,
Rather than a login attempt, it is a connection attempt and you're going
to get a lot of those if you run your own mailserver. The postfix filter
does not pick up these attempts. To get round it, I've created my own jail:
[postfix-disc]
enabled = true
logpath = %(syslog_mail)s
maxretry = 5
bantime = 108000
findtime = 3600
port = smtp,465,submission
and filter (/etc/fail2ban/filter.d/postfix-disc.conf):
# Fail2Ban filter for postfix lost connections
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = postfix/smtpd
failregex = ^%(__prefix_line)slost connection after
(AUTH|STARTTLS|NOOP|EHLO|RCPT|UNKNOWN) from .*\..*\[<HOST>\]$
^%(__prefix_line)sdisconnect from unknown\[<HOST>\]$
ignoreregex =
# Author: Nick Howitt
Note that my filter would have triggered but not banned as it is set to
require 5 attempts in an hour before activating a ban. Your postfix
filter would need 5 attempts in a 10 minutes if you are running with the
default configuration, so also would not have banned based on this
single find.
FWIW, if you put:
smtpd_client_restrictions = reject_unknown_reverse_client_hostname
in your /etc/postfix/main.cf, postfix will drop all these connections
from unknown. It is a mandatory RFC compliance thing that any IP which a
mail server uses has a reverse DNS entry which is what this is missing
so it should be safe. Note the reverse DNS does not have to match the
sending FQDN, but it should exist. You can test by using the following
instead:
smtpd_client_restrictions = warn_if_reject
reject_unknown_reverse_client_hostname
This will log a failure but not reject.
Even if you do use smtpd_client_restrictions, I would still use f2b to
ban offenders because every so often I get a burst of 100+ attempts
which I don't like. I also have a jail to stop slow chipping away:
[postfix-discsl]
# as postfix-disc but to pick up people chipping away slowly
enabled = true
logpath = %(syslog_mail)s
filter = postfix-disc
maxretry = 10
bantime = 108000
findtime = 86400
port = smtp,465,submission
It uses the same filter but blocks after 10 attempts in 8 hours
It is all a bit OTT but I am a bit paranoid about my mail server.
Regards,
Nick
On 15/11/2016 19:46, Davide Marchi wrote:
> Hi friends,
> I've just setup Postfix Dovecot on my VPS Debian Jessie and from the
> first day I've seen this logon attempt:
>
>
> Nov 15 20:27:32 server postfix/smtpd[7086]: warning: hostname
> 212-129-49-213.rev.poneytelecom.eu does not resolve to address
> 212.129.49.213: Name or service not known
> Nov 15 20:27:32 server postfix/smtpd[7086]: connect from
> unknown[212.129.49.213]
> Nov 15 20:27:32 server postfix/smtpd[7086]: lost connection after AUTH
> from unknown[212.129.49.213]
> Nov 15 20:27:32 server postfix/smtpd[7086]: disconnect from
> unknown[212.129.49.213]
>
> I've enabled on my /etc/fail2ban/jail.conf [postfix] entry:
>
> enabled = true
> port = smtp,ssmtp
> filter = postfix
> logpath = /var/log/mail.log
>
>
> and on my /etc/fail2ban/filter.d/postfix.conf:
>
>
> [INCLUDES]
>
> # Read common prefixes. If any customizations available -- read them from
> # common.local
> before = common.conf
>
> [Definition]
>
> _daemon = postfix/smtpd
>
> failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]:
> 554 5\.7\.1 .*$
> ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]:
> 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<>
> proto=ESMTP helo= *$
> ^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[<HOST>\]:
> 550 5\.1\.1 .*$
> ^%(__prefix_line)simproper command pipelining after \S+
> from [^[]*\[<HOST>\]:?$
>
> ignoreregex =
>
> # Author: Cyril Jaquier
>
>
>
> But this seem not enough, the spammer doesn'tbanned.
> Could you suggest how I could set correctly this config files?
>
>
> many many thanks!
>
> Davide
>
>
------------------------------------------------------------------------------
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
