Debian stretch fail2ban satisfying rule for host not found & rbl

Discussion in 'Tips/Tricks/Mods' started by ztk.me, Oct 5, 2017.

  1. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    If you have a huge amount of entries like
    Code:
    118028 Oct  5 13:48:19 host postfix/smtpd[12048]: NOQUEUE: reject: RCPT from mail.olestage.dk[81.19.abc.xyz]: 450 4.7.1 <exch01.olestage.local>: Helo command rejected: Host not found; from=<> to=<Larisaotf@somelocaldomain> proto=ESMTP helo=<exch01.olestage.local>
    
    in your mail.info and wonder why fail2ban doesn't ban them... it's because the rule is not made for host not found having actual data in it.
    There are improved rulesets for version 0.10/0.11 though.

    Also this might save you some requests / volume on RBL services which usually permit a limited free usage.

    create a custom file
    /etc/fail2ban/filter.d/postfix-hnf.conf
    Code:
    # Fail2Ban filter for selected Postfix SMTP rejections
    #
    #
    
    [INCLUDES]
    
    # Read common prefixes. If any customizations available -- read them from
    # common.local
    before = common.conf
    
    [Definition]
    
    _daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds]
    
    failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$
                ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 Client host rejected: cannot find your hostname, (\[\S*\]); from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
                ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 <\S*>: Helo command rejected: Host not found;.*$
                ^%(__prefix_line)sNOQUEUE: reject: EHLO from \S+\[<HOST>\]: 504 5\.5\.2 <\S+>: Helo command rejected: need fully-qualified hostname;
                ^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[<HOST>\]: 550 5\.1\.1 .*$
                ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.1\.8 <\S*>: Sender address rejected: Domain not found; from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
                ^%(__prefix_line)simproper command pipelining after \S+ from [^[]*\[<HOST>\]:?$
    
    # Author: Cyril Jaquier
    
    which is basically a copy of the debian shipped version except improved Host-Not-Found rule

    Add this to your
    /etc/fail2ban/jail.local
    Code:
    [postfix-hnf]
    enabled = true
    port = smtp
    filter = postfix-hnf
    logpath = /var/log/mail.log
    maxretry = 2
    bantime = 10800
    
    [postfix-rbl]
    enabled = true
    port = smtp
    filter = postfix-rbl
    logpath = /var/log/mail.log
    maxretry = 2 
    bantime = 10800
    
    you might want to adjust bantime, default is pretty low 600

    gently reload fail2ban
    Code:
    service fail2ban reload
    
    and check your logfile for growing bans and reduced DNS lookups from your server
    Code:
    tail -f /var/log/fail2ban.log
    
     
    borekon and till like this.
  2. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    to get rid of Relay access denied spamming
    Code:
    ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 454 4\.7\.1 <\S*>: Relay access denied;.*$
    
    
     
    borekon likes this.

Share This Page