On Fri, Aug 02, 2019 at 10:19:49AM -0400, mark wrote:> Fred Smith wrote: > > On Fri, Aug 02, 2019 at 09:28:23AM -0400, mark wrote: > <MVNCH> > > One thing I don't understand is how/why the firewall is DROPping so > > many attempts on port 25 when it in fact has a port forward rule sending > > port 25 on to my mailserver. How does it know, or why does it think that > > some of them can be dropped at the outer barrier? > > > >> you, but thank you for taking a hundred thousand or so for all of us. > > > > Hey, its the least I can do for all the good guys out there! :) > > But that doesn't mean the same dratsabs aren't hitting all the rest > > of you too. > > > I'm sure they are. Are you running fail2ban? >Several years back I switched from sendmail to postfix. Not knowing what I was doing, I think I have it set to say it will forward email following SASL authentication. But as I had no intention of forwarding anything, I did not set up any authentication methods. So anyone who tries fails to authenticate. With fail2ban in place I get 200-500 daily SASL "fail to authenticate" instances. In contrast, several months ago fail2ban either died or did not restart correctly. This went unnoticed for about a week. During that time I got 10000-32000 daily "failed to authenticate". Jon -- Jon H. LaBadie jon at jgcomp.com 11226 South Shore Rd. (703) 787-0688 (H) Reston, VA 20190 (703) 935-6720 (C)
On Fri, Aug 02, 2019 at 02:38:05PM -0400, Jon LaBadie wrote:> On Fri, Aug 02, 2019 at 10:19:49AM -0400, mark wrote: > > Fred Smith wrote: > > > On Fri, Aug 02, 2019 at 09:28:23AM -0400, mark wrote: > > <MVNCH> > > > One thing I don't understand is how/why the firewall is DROPping so > > > many attempts on port 25 when it in fact has a port forward rule sending > > > port 25 on to my mailserver. How does it know, or why does it think that > > > some of them can be dropped at the outer barrier? > > > > > >> you, but thank you for taking a hundred thousand or so for all of us. > > > > > > Hey, its the least I can do for all the good guys out there! :) > > > But that doesn't mean the same dratsabs aren't hitting all the rest > > > of you too. > > > > > I'm sure they are. Are you running fail2ban? > > > Several years back I switched from sendmail to postfix. > Not knowing what I was doing, I think I have it set to > say it will forward email following SASL authentication. > But as I had no intention of forwarding anything, I did > not set up any authentication methods. So anyone who > tries fails to authenticate. > > With fail2ban in place I get 200-500 daily SASL "fail to > authenticate" instances. In contrast, several months ago > fail2ban either died or did not restart correctly. This > went unnoticed for about a week. During that time I got > 10000-32000 daily "failed to authenticate".I'm not using fail2ban, and am using sendmail (why? because I've spent years slowly accumulating options in my .mc file that kill off unwanted connections and other hate-the-spammer options.). I'm not getting such emails but most of the entries in /var/log/mail are due to such events. every now and then a legitimate email can be seen passing through. Oh, I also am now using (as of 2-3 years ago) milter-greylist, which made an enormous contribution to preventing spam emails. Fred -- ---- Fred Smith -- fredex at fcshome.stoneham.ma.us ----------------------------- "For the word of God is living and active. Sharper than any double-edged sword, it penetrates even to dividing soul and spirit, joints and marrow; it judges the thoughts and attitudes of the heart." ---------------------------- Hebrews 4:12 (niv) ------------------------------
On Fri, Aug 02, 2019 at 02:43:30PM -0400, Fred Smith wrote:> On Fri, Aug 02, 2019 at 02:38:05PM -0400, Jon LaBadie wrote: > > On Fri, Aug 02, 2019 at 10:19:49AM -0400, mark wrote: > > > Fred Smith wrote: > > > > On Fri, Aug 02, 2019 at 09:28:23AM -0400, mark wrote: > > > <MVNCH> > > > > One thing I don't understand is how/why the firewall is DROPping so > > > > many attempts on port 25 when it in fact has a port forward rule sending > > > > port 25 on to my mailserver. How does it know, or why does it think that > > > > some of them can be dropped at the outer barrier? > > > > > > > >> you, but thank you for taking a hundred thousand or so for all of us. > > > > > > > > Hey, its the least I can do for all the good guys out there! :) > > > > But that doesn't mean the same dratsabs aren't hitting all the rest > > > > of you too. > > > > > > > I'm sure they are. Are you running fail2ban? > > > > > Several years back I switched from sendmail to postfix. > > Not knowing what I was doing, I think I have it set to > > say it will forward email following SASL authentication. > > But as I had no intention of forwarding anything, I did > > not set up any authentication methods. So anyone who > > tries fails to authenticate. > > > > With fail2ban in place I get 200-500 daily SASL "fail to > > authenticate" instances. In contrast, several months ago > > fail2ban either died or did not restart correctly. This > > went unnoticed for about a week. During that time I got > > 10000-32000 daily "failed to authenticate". > > I'm not using fail2ban, and am using sendmail (why? because > I've spent years slowly accumulating options in my .mc file that > kill off unwanted connections and other hate-the-spammer options.). > I'm not getting such emails but most of the entries in /var/log/mail > are due to such events. every now and then a legitimate email can > be seen passing through. > > Oh, I also am now using (as of 2-3 years ago) milter-greylist, which > made an enormous contribution to preventing spam emails. > > FredI tried greylisting a while back and was surprised how many were being rejected. But they were also getting through despite the rejection at my end. I use a 3rd party as my backup MX email address. If I'm down, they save up the email and forward it to me when I'm back up. But the greylist rejected emails just tried the backup MX address and got through that way. Should I ever have a backup MX that I administer, I will definitely reinstate greylisting. Jon -- Jon H. LaBadie jon at jgcomp.com 11226 South Shore Rd. (703) 787-0688 (H) Reston, VA 20190 (703) 935-6720 (C)
On 02/08/2019 19:38, Jon LaBadie wrote:> On Fri, Aug 02, 2019 at 10:19:49AM -0400, mark wrote: >> Fred Smith wrote: >>> On Fri, Aug 02, 2019 at 09:28:23AM -0400, mark wrote: >> <MVNCH> >>> One thing I don't understand is how/why the firewall is DROPping so >>> many attempts on port 25 when it in fact has a port forward rule sending >>> port 25 on to my mailserver. How does it know, or why does it think that >>> some of them can be dropped at the outer barrier? >>> >>>> you, but thank you for taking a hundred thousand or so for all of us. >>> Hey, its the least I can do for all the good guys out there! :) >>> But that doesn't mean the same dratsabs aren't hitting all the rest >>> of you too. >>> >> I'm sure they are. Are you running fail2ban? >> > Several years back I switched from sendmail to postfix. > Not knowing what I was doing, I think I have it set to > say it will forward email following SASL authentication. > But as I had no intention of forwarding anything, I did > not set up any authentication methods. So anyone who > tries fails to authenticate. > > With fail2ban in place I get 200-500 daily SASL "fail to > authenticate" instances. In contrast, several months ago > fail2ban either died or did not restart correctly. This > went unnoticed for about a week. During that time I got > 10000-32000 daily "failed to authenticate". > > JonI've been using fail2ban for some time, I have a number of ports open to the Internet - SSH, SMTP, IMAPS, HTTP and HTTPS on my external subnet. This thread made me look at how fail2ban was doing, and I noticed that it wasn't particularly working too well for SSH, as I have turned off password authentication, so I edited the filters a little, and found it started filtering some more IPs. I found on my firewall that there were something like 500 active connection states to SSH - it looked like a scanning tool was just hanging and sending many connections, the same thing for about three remote IPs - I put a manual block on these at the firewall. The firewall has a block feature, which allows me to enter URLs which point to lists of IPs (Blocklists) and block traffic from those IPs at the firewall. It's designed to use these types of IP feeds: http://iplists.firehol.org/ Well, there's nothing stopping me running a cron-job on my Centos boxes to do the following: iptables -L -n | awk '$1=="REJECT" && $4!="0.0.0.0/0" {print $4}' > /tmp/banned I can then transfer the banned file to a web-server and block the bad IP addresses completely from my network. I like this as if a system is brute-forcing my SSH server, I can now block it from all resources on the network, and stop the attempts even reaching the internal hosts.
On Sat, Aug 03, 2019 at 04:50:05PM +0100, Giles Coochey wrote:> > On 02/08/2019 19:38, Jon LaBadie wrote: > > On Fri, Aug 02, 2019 at 10:19:49AM -0400, mark wrote: > > > Fred Smith wrote: > > > > On Fri, Aug 02, 2019 at 09:28:23AM -0400, mark wrote: > > > <MVNCH> > > I've been using fail2ban for some time, I have a number of ports open to the > Internet - SSH, SMTP, IMAPS, HTTP and HTTPS on my external subnet. > > This thread made me look at how fail2ban was doing, and I noticed that it > wasn't particularly working too well for SSH, as I have turned off password > authentication, so I edited the filters a little, and found it started > filtering some more IPs. I found on my firewall that there were something > like 500 active connection states to SSH - it looked like a scanning tool > was just hanging and sending many connections, the same thing for about > three remote IPs - I put a manual block on these at the firewall. > > The firewall has a block feature, which allows me to enter URLs which point > to lists of IPs (Blocklists) and block traffic from those IPs at the > firewall. > > It's designed to use these types of IP feeds: http://iplists.firehol.org/ > > Well, there's nothing stopping me running a cron-job on my Centos boxes to > do the following: > > iptables -L -n | awk '$1=="REJECT" && $4!="0.0.0.0/0" {print $4}' > > /tmp/banned > > I can then transfer the banned file to a web-server and block the bad IP > addresses completely from my network. I like this as if a system is > brute-forcing my SSH server, I can now block it from all resources on the > network, and stop the attempts even reaching the internal hosts.I've found the default 10min bans hardly bother some attackers. So I've added the "recidive" feature of fail2ban. After the second 10min ban, the attacker is blocked for 1 week. jon -- Jon H. LaBadie jon at jgcomp.com 11226 South Shore Rd. (703) 787-0688 (H) Reston, VA 20190 (703) 935-6720 (C)