Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Block IP from brute force attached on mail forwarder using CIDR #87

Open
mike-crawfurd opened this issue Jan 24, 2021 · 4 comments
Open

Block IP from brute force attached on mail forwarder using CIDR #87

mike-crawfurd opened this issue Jan 24, 2021 · 4 comments
Labels
feature request pull request wanted

Comments

@mike-crawfurd
Copy link

Hi,

One of my dockers based on your great work is being attacked by some people trying to brute force it. The IPs seem limited to two or three, so it should be easy to block them. An article on how to do this is here: https://ethitter.com/2016/03/blocking-sender-ips-in-postfix/

Example of the logs where people try to login:
Jan 24 09:42:36 cafff8e519dd postfix/smtpd[25002]: connect from unknown[212.70.149.85]
Jan 24 09:42:37 cafff8e519dd postfix/smtpd[24875]: warning: unknown[212.70.149.54]: SASL LOGIN authentication failed: authentication failure
Jan 24 09:42:38 cafff8e519dd postfix/smtpd[24875]: disconnect from unknown[212.70.149.54] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Jan 24 09:42:45 cafff8e519dd postfix/smtpd[25002]: warning: unknown[212.70.149.85]: SASL LOGIN authentication failed: authentication failure
Jan 24 09:42:47 cafff8e519dd postfix/smtpd[25002]: disconnect from unknown[212.70.149.85] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Jan 24 09:42:51 cafff8e519dd postfix/smtpd[24875]: connect from unknown[212.70.149.54]
Jan 24 09:42:57 cafff8e519dd postfix/smtpd[25002]: connect from unknown[212.70.149.85]

However, it seems the postmap in your docker is not able to handle cidr, as I get this error message below:
bash-5.0# postmap cidr:client_checks
postmap: fatal: unsupported dictionary type: cidr. Is the postfix-cidr package installed?
bash-5.0#

Is it possible to upgrade the postfix package to one that includes the cidr capability?
Since my 'attackers' seem limited, I do not feel I need to use other tools to block them.

Thanks,
Mike
@huan
Copy link
Owner

huan commented Jan 24, 2021

Hi mike,

I'd like to upgrade the postfix package so that your CIDR capability can be supported.

Pull Request is welcome.

@mike-crawfurd
Copy link
Author

mike-crawfurd commented Jan 24, 2021 via email

@mike-crawfurd
Copy link
Author

Hi Huan,
Apologies, I do not really know how to do a pull request. Can you point me what you need me to do?
Regards,
Mike

@dgraziotin
Copy link
Contributor

@mike-crawfurd meanwhile, you could easily setup fail2ban to block these attempts.

This is my /etc/fail2ban/jail.d/saslmail.conf

[saslmail]
enabled  = true
port     = 25,465,587
filter   = saslmail
logtimezone = UTC
logpath  = /var/lib/docker/containers/*/*-json.log
bantime = 600
findtime = 600
maxretry = 3
action = iptables-allports[chain="FORWARD"]

maxretry = 3 is a bit strict, FYI. You can raise it to a higher value.

This is my /etc/fail2ban/filter.d/saslmail.conf

[Definition]
failregex = ^.*\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed.*$
            ^.*reject: RCPT from \S+\[<HOST>\]:.*Relay access denied.*$
            ^.*lost connection after .*\[<HOST>\].*$

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request pull request wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dgraziotin @huan @mike-crawfurd