Postfix Blacklisting IPs (connection spam in mail.log)

Discussion in 'Installation/Configuration' started by niemand-glaumy, Feb 8, 2022.

  1. niemand-glaumy

    niemand-glaumy Member

    Hey, I have a mailserver issue and while trying to fix it, I tailed mail.log.
    There I get login spam from a few specific IPs (I guess they're trying to bruteforce or something?):
    Code:
    Feb  8 15:12:34 web postfix/smtpd[12690]: disconnect from unknown[5.34.205.118] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb  8 15:12:36 web postfix/smtpd[12338]: warning: unknown[5.34.205.118]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb  8 15:12:36 web postfix/smtpd[12338]: disconnect from unknown[5.34.205.118] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Feb  8 15:12:37 web postfix/smtpd[12331]: connect from unknown[5.34.205.118]
    Is there a way I can blacklist those IPs and deny any connection completely? Because I can't even read the errors I want to fix, they pass by so fast. :D

    And is there a way to DDoS for free so I can retaliate? :3
     
    niemand-glaumy, Feb 8, 2022
    #1
  2. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    You can use fail2ban to catch those and block the IP addrs with repeated failures. There are other tools as well, but that is quick to setup.
     
    Jesse Norell, Feb 8, 2022
    #2
    niemand-glaumy likes this.
  3. niemand-glaumy

    niemand-glaumy Member

    Thank you! It seems like fail2ban is already actively running. At least I have recent lines in ispconfig > Monitor > fail2ban Log. Can I find the settings somewhere?

    Edit: It seems adding an IP to a jail won't stop it from trying to connect and spamming like posted above.
    Command used:
    Code:
    fail2ban-client -vvv set postfix banip 5.34.205.118
     
    Last edited: Feb 8, 2022
    niemand-glaumy, Feb 8, 2022
    #3
  4. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    You can do quite a lot with fail2ban, but you have to configure it, it does almost nothing out of the box (only monitors ssh login failures, iirc), and the perfect server guides include very minimal additional configuration.
    Most custom config is done in /etc/fail2ban/jail.local; you might also edit fail2ban.local and add files to /etc/fail2ban/filter.d/ (or possibly /etc/fail2ban/action.d/). It looks like there is now a /etc/fail2ban/jail.d/ you can/should check as well (looking at a Debian 11 host here).
    What do you see from "fail2ban-client get postfix banip"? You might start with checking /var/log/fail2ban.log, and even restart fail2ban to see what shows there.
     
    Jesse Norell, Feb 8, 2022
    #4
    niemand-glaumy likes this.
  5. recin

    recin Active Member

    I think you have to block the IP under postfix-sasl jail:
    Code:
    fail2ban-client -vvv set postfix banip 5.34.205.118
     
    recin, Feb 11, 2022
    #5
    niemand-glaumy likes this.
  6. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    It should prevent, but only for the bantime of the jail used.
    Enable recidive jail, set that jails bantime to 1 week and add IP to recidive jail.
    Code:
    fail2ban-client set recidive banip 5.34.205.118
     
    Taleman, Feb 11, 2022
    #6
    niemand-glaumy likes this.

Share This Page