On 7/25/2016 12:04, Ronald Klop wrote:> On Mon, 25 Jul 2016 18:48:25 +0200, Karl Denninger > <karl at denninger.net> wrote: > >> This may not belong in "stable", but since Postfix is one of the >> high-performance alternatives to sendmail.... >> >> Question is this -- I have sshguard protecting connections inbound, but >> Postfix appears to be ignoring it, which implies that it is not paying >> attention to the hosts.allow file (and the wrapper that enables it.) >> >> Recently a large body of clowncars have been targeting my sasl-enabled >> https gateway (which I use for client machines and thus do in fact need) >> and while sshguard picks up the attacks and tries to ban them, postfix >> is ignoring the entries it makes which implies it is not linked with the >> tcp wrappers. >> >> A quick look at the config for postfix doesn't disclose an obvious >> configuration solution....did I miss it? >> > > Don't know if postfix can handle tcp wrappers, but I use bruteblock > [1] for protecting connections via the ipfw firewall. I use this for > ssh and postfix. >I recompiled sshguard to use ipfw and stuck the table lookup in my firewall config..... works, and is software-agnostic (thus doesn't care if something was linked against tcpwrappers or not.) -- Karl Denninger karl at denninger.net <mailto:karl at denninger.net> /The Market Ticker/ /[S/MIME encrypted email preferred]/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2996 bytes Desc: S/MIME Cryptographic Signature URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20160725/ef1409e1/attachment.bin>
On Jul 25, 2016, at 10:32 AM, Karl Denninger <karl at denninger.net<mailto:karl at denninger.net>> wrote: On 7/25/2016 12:04, Ronald Klop wrote: On Mon, 25 Jul 2016 18:48:25 +0200, Karl Denninger <karl at denninger.net<mailto:karl at denninger.net>> wrote: This may not belong in "stable", but since Postfix is one of the high-performance alternatives to sendmail.... Question is this -- I have sshguard protecting connections inbound, but Postfix appears to be ignoring it, which implies that it is not paying attention to the hosts.allow file (and the wrapper that enables it.) Recently a large body of clowncars have been targeting my sasl-enabled https gateway (which I use for client machines and thus do in fact need) and while sshguard picks up the attacks and tries to ban them, postfix is ignoring the entries it makes which implies it is not linked with the tcp wrappers. A quick look at the config for postfix doesn't disclose an obvious configuration solution....did I miss it? Don't know if postfix can handle tcp wrappers, but I use bruteblock [1] for protecting connections via the ipfw firewall. I use this for ssh and postfix. I recompiled sshguard to use ipfw and stuck the table lookup in my firewall config..... works, and is software-agnostic (thus doesn't care if something was linked against tcpwrappers or not.) I would triple concur with the above advice. using ipfw is a much better choice (especially at high volume) as ipfw works primarily at layer 3 (and in the kernel itself), Where as tcp wrappers works at layer 7 (requiring application awareness). Here are the handbook references: https://www.freebsd.org/doc/handbook/tcpwrappers.html https://www.freebsd.org/doc/handbook/firewalls-ipfw.html -- Karl Denninger karl at denninger.net<mailto:karl at denninger.net> <mailto:karl at denninger.net> /The Market Ticker/ /[S/MIME encrypted email preferred]/
On 25-7-2016 19:32, Karl Denninger wrote:> On 7/25/2016 12:04, Ronald Klop wrote: >> On Mon, 25 Jul 2016 18:48:25 +0200, Karl Denninger >> <karl at denninger.net> wrote: >> >>> This may not belong in "stable", but since Postfix is one of the >>> high-performance alternatives to sendmail.... >>> >>> Question is this -- I have sshguard protecting connections inbound, but >>> Postfix appears to be ignoring it, which implies that it is not paying >>> attention to the hosts.allow file (and the wrapper that enables it.) >>> >>> Recently a large body of clowncars have been targeting my sasl-enabled >>> https gateway (which I use for client machines and thus do in fact need) >>> and while sshguard picks up the attacks and tries to ban them, postfix >>> is ignoring the entries it makes which implies it is not linked with the >>> tcp wrappers. >>> >>> A quick look at the config for postfix doesn't disclose an obvious >>> configuration solution....did I miss it? >>> >> >> Don't know if postfix can handle tcp wrappers, but I use bruteblock >> [1] for protecting connections via the ipfw firewall. I use this for >> ssh and postfix.Given the fact that both tcpwrappers and postfix originate from the same author (Wietse Venenma) I'd be very surprised it you could not do this. http://www.postfix.org/linuxsecurity-200407.html But grepping the binary for libwrap it does seems to be the case. Note that you can also educate sshguard to actually use a script to do whatever you want it to do. I'm using it to add rules to an ipfw table that is used in a deny-rule. Reloading the fw keeps the deny-rules, flushing the table deletes all blocked hosts without reloading the firewall. Both times a bonus. --WjW --WjW