Use Fail2ban and Postscreen to Fight Botnet Connections to Postfix - Printable Version +- TicTacTech.net Forums (https://tictactech.net/forum) +-- Forum: Technology (https://tictactech.net/forum/forumdisplay.php?fid=4) +--- Forum: Coding and Webmastering (https://tictactech.net/forum/forumdisplay.php?fid=6) +--- Thread: Use Fail2ban and Postscreen to Fight Botnet Connections to Postfix (/showthread.php?tid=40)

Use Fail2ban and Postscreen to Fight Botnet Connections to Postfix - tictactech.net - 11-12-2023 Use Fail2ban and Postscreen to Fight Botnet Connections to Postfix I noticed multiple unsuccessful connection attempts in my postfix server from various IPs. The EHLO response varies but many of them respond as "User\r\n". See the following log entries from my /var/log/postfix.log file... Nov 10 19:20:58 mail postfix/postscreen[18652]: COMMAND PIPELINING from [162.142.125.10]:57044 after ??????: 6\2 Nov 10 19:20:57 mail postfix/postscreen[18652]: COMMAND PIPELINING from [162.142.125.10]:46298 after ??????: W\ Nov 6 05:57:36 mail postfix/postscreen[15159]: PREGREET 11 after 0.12 from [147.78.103.88]:56690: EHLO User\r\n Oct 30 04:05:40 mail postfix/postscreen[8417]: PREGREET 11 after 0.13 from [87.120.84.90]:58426: EHLO User\r\n Oct 30 04:54:26 mail postfix/postscreen[9258]: PREGREET 11 after 0.13 from [87.120.84.90]:51143: EHLO User\r\n Oct 30 06:50:04 mail postfix/postscreen[11318]: PREGREET 11 after 0.13 from [147.78.103.88]:52788: EHLO User\r\n Oct 30 05:37:00 mail postfix/postscreen[9963]: PREGREET 11 after 0.13 from [147.78.103.88]:54640: EHLO User\r\n As you can see, these connection attempts are coming from many different IP addresses. The best way to handle these attempts is with a custom Fail2ban rule that can match against the EHLO response. Fail2ban is log monitoring software that is able to take action when it matches a rule. These actions can vary but the default is to "ban" the IP and/or port by creating a rule in iptables. I will walk through the setup of this custom Fail2ban rule and the subsequent testing and verifying of the rule. Read More … https://tictactech.net/category-blog/linux/use-fail2ban-and-postfix-postscreen-to-fight-botnet-logins RE: Use Fail2ban and Postscreen to Fight Botnet Connections to Postfix - welly321 - 11-12-2023 Excellent guide for all you linux nerds