Use Fail2ban and Postscreen to Fight Botnet Connections to Postfix
I noticed multiple unsuccessful connection attempts in my postfix server from various IPs. The EHLO response varies but many of them respond as "User\r\n". See the following log entries from my /var/log/postfix.log file...
Nov 10 19:20:58 mail postfix/postscreen[18652]: COMMAND PIPELINING from [162.142.125.10]:57044 after ??????: 6\2
Nov 10 19:20:57 mail postfix/postscreen[18652]: COMMAND PIPELINING from [162.142.125.10]:46298 after ??????: W\
Nov 6 05:57:36 mail postfix/postscreen[15159]: PREGREET 11 after 0.12 from [147.78.103.88]:56690: EHLO User\r\n
Oct 30 04:05:40 mail postfix/postscreen[8417]: PREGREET 11 after 0.13 from [87.120.84.90]:58426: EHLO User\r\n
Oct 30 04:54:26 mail postfix/postscreen[9258]: PREGREET 11 after 0.13 from [87.120.84.90]:51143: EHLO User\r\n
Oct 30 06:50:04 mail postfix/postscreen[11318]: PREGREET 11 after 0.13 from [147.78.103.88]:52788: EHLO User\r\n
Oct 30 05:37:00 mail postfix/postscreen[9963]: PREGREET 11 after 0.13 from [147.78.103.88]:54640: EHLO User\r\n
As you can see, these connection attempts are coming from many different IP addresses. The best way to handle these attempts is with a custom Fail2ban rule that can match against the EHLO response. Fail2ban is log monitoring software that is able to take action when it matches a rule. These actions can vary but the default is to "ban" the IP and/or port by creating a rule in iptables. I will walk through the setup of this custom Fail2ban rule and the subsequent testing and verifying of the rule.
Read More …
https://tictactech.net/category-blog/lin...net-logins
I noticed multiple unsuccessful connection attempts in my postfix server from various IPs. The EHLO response varies but many of them respond as "User\r\n". See the following log entries from my /var/log/postfix.log file...
Nov 10 19:20:58 mail postfix/postscreen[18652]: COMMAND PIPELINING from [162.142.125.10]:57044 after ??????: 6\2
Nov 10 19:20:57 mail postfix/postscreen[18652]: COMMAND PIPELINING from [162.142.125.10]:46298 after ??????: W\
Nov 6 05:57:36 mail postfix/postscreen[15159]: PREGREET 11 after 0.12 from [147.78.103.88]:56690: EHLO User\r\n
Oct 30 04:05:40 mail postfix/postscreen[8417]: PREGREET 11 after 0.13 from [87.120.84.90]:58426: EHLO User\r\n
Oct 30 04:54:26 mail postfix/postscreen[9258]: PREGREET 11 after 0.13 from [87.120.84.90]:51143: EHLO User\r\n
Oct 30 06:50:04 mail postfix/postscreen[11318]: PREGREET 11 after 0.13 from [147.78.103.88]:52788: EHLO User\r\n
Oct 30 05:37:00 mail postfix/postscreen[9963]: PREGREET 11 after 0.13 from [147.78.103.88]:54640: EHLO User\r\n
As you can see, these connection attempts are coming from many different IP addresses. The best way to handle these attempts is with a custom Fail2ban rule that can match against the EHLO response. Fail2ban is log monitoring software that is able to take action when it matches a rule. These actions can vary but the default is to "ban" the IP and/or port by creating a rule in iptables. I will walk through the setup of this custom Fail2ban rule and the subsequent testing and verifying of the rule.
Read More …
https://tictactech.net/category-blog/lin...net-logins
