Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Tips/Tricks/Mods

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
View Poll Results: Is this over kill?
No way! good idea! every bit helps Stop spamers dead 3 42.86%
Yes 550 happens you will lose mail and regret it! 0 0%
Sure maybe limit 4 attempts on a small host would really help! 1 14.29%
Tell me how that works out. If it works I want that! 3 42.86%
Voters: 7. You may not vote on this poll

Reply
 
Thread Tools Display Modes
  #1  
Old 18th November 2008, 03:20
frank2 frank2 is offline
Junior Member
 
Join Date: Nov 2008
Posts: 6
Thanks: 0
Thanked 1 Time in 1 Post
Default fail2ban maybe help ease postfix from spammers

I been playing with finding a way to reduce spam. I am debian user who has a ispconfig setup and noticed fail2ban has added some support for email

but nothing to deal with
"rejected: User unknown in local recipient table" messages

Now I am not a expert. But one thing I know is security usualy causes lotsa problems when you try to go the extra mile.

so I thought I would run it by some of you before I actualy sit down and start running it ..

i will run it on one domain first to see if it makes a diffrence.

I am unsure if it will effect email forwards though? anyones thoughts

here is the filter I found on the net showing a 554 error from mail log

Quote:
failregex = reject: (?:RCPT|VRFY) from [a-zA-Z.0-9-]*.(?P<host>[0-9.]*).:
(?:.*Relay access denied|554 Service unavailable; Client host \S* blocked
using|(?:Sender|Recipient) address rejected)
here is what I am wanting to do with it is form it to block 550 errors and I could use some help
Quote:
failregex = reject: RCPT from (.*)\[<HOST>\]: 550
so before I start losing mail and screw things up what do you think?!

now I figure from my logs it looks like they try like 4-5 times.. how many ligit ones get through 4 5 mistakes and even if they do a delay is no big deal is it?

not sure what I am talking about.

then take a look at some of these from my mail.log these evil name harvesting bots eating up cpu time, memory and bandwidth. we can go on all day how bad spam is. ever little bit will helf x 10 fold So I am crying for some tips here!
Quote:
Nov 16 13:46:26 s1host postfix/smtpd[27185]: NOQUEUE: reject: RCPT from ppp94-29-84-75.pppoe.spdop.ru[94.29.84.75]: 550 5.1.1 <garner@ domain.com>: Recipient address rejected: User unknown in local recipient table; from=<haileydoreen_de@minpost.nu> to=<garner@ domain.com> proto=ESMTP helo=<rqnyt>
Nov 16 13:46:26 s1host postfix/smtpd[27185]: NOQUEUE: reject: RCPT from ppp94-29-84-75.pppoe.spdop.ru[94.29.84.75]: 550 5.1.1 <barrett@ domain.com>: Recipient address rejected: User unknown in local recipient table; from=<haileydoreen_de@minpost.nu> to=<barrett@ domain.com> proto=ESMTP helo=<rqnyt>
Nov 16 13:46:26 s1host postfix/smtpd[27185]: NOQUEUE: reject: RCPT from ppp94-29-84-75.pppoe.spdop.ru[94.29.84.75]: 550 5.1.1 <love@ domain.com>: Recipient address rejected: User unknown in local recipient table; from=<haileydoreen_de@minpost.nu> to=<love@ domain.com> proto=ESMTP helo=<rqnyt>
Nov 16 13:46:26 s1host postfix/smtpd[27185]: B0130EE05B: client=ppp94-29-84-75.pppoe.spdop.ru[94.29.84.75]
Nov 16 13:46:26 s1host postfix/smtpd[27185]: B0130EE05B: reject: RCPT from ppp94-29-84-75.pppoe.spdop.ru[94.29.84.75]: 550 5.1.1 <bates@ domain.com>: Recipient address rejected: User unknown in local recipient table; from=<haileydoreen_de@minpost.nu> to=<bates@ domain.com> proto=ESMTP helo=<rqnyt>
Nov 16 13:46:27 s1host postfix/smtpd[27185]: NOQUEUE: reject: RCPT from ppp94-29-84-75.pppoe.spdop.ru[94.29.84.75]: 550 5.1.1 <ellis@ domain.com>: Recipient address rejected: User unknown in local recipient table; from=<augustina.marthbo@minpost.nu> to=<ellis@ domain.com> proto=ESMTP helo=<rqnyt>
Nov 16 13:46:27 s1host postfix/smtpd[27185]: NOQUEUE: reject: RCPT from ppp94-29-84-75.pppoe.spdop.ru[94.29.84.75]: 550 5.1.1 <ishop@ domain.com>: Recipient address rejected: User unknown in local recipient table; from=<augustina.marthbo@minpost.nu> to=<ishop@ domain.com> proto=ESMTP helo=<rqnyt>
Nov 16 13:46:27 s1host postfix/smtpd[27185]: NOQUEUE: reject: RCPT from ppp94-29-84-75.pppoe.spdop.ru[94.29.84.75]: 550 5.1.1 <dennis@ domain.com>: Recipient address rejected: User unknown in local recipient table; from=<augustina.marthbo@minpost.nu> to=<dennis@ domain.com> proto=ESMTP helo=<rqnyt>
Reply With Quote
Sponsored Links
  #2  
Old 18th November 2008, 04:19
_X_ _X_ is offline
Senior Member
 
Join Date: Oct 2008
Posts: 247
Thanks: 8
Thanked 37 Times in 35 Posts
Default

i got rid of those with fail2ban.

simply copy jail.conf to jail.local

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

edit jail.local

enable:
[postix]
[courierauth]
[sasl]
and if you want you can enable [couriersmtp]
and if you need
[apache]
[ssh]
[proftpd]

i didnt create custom filter and stuff ... used default values and it works.
set retry to 3 times and you can set seconds as much as you want.

Used Ubuntu 8.04 and after last update I hope fail2ban will work after restart and if not after restart of server:
uninstall fail2ban
install fail2ban
on ubuntu:
apt-get purge fail2ban
apt-get install fail2ban
to confirm that it is running:
/etc/init.d/fail2ban restart

no need to edit jail.local since file will not be deleted on uninstall.
Reply With Quote
  #3  
Old 18th November 2008, 05:26
frank2 frank2 is offline
Junior Member
 
Join Date: Nov 2008
Posts: 6
Thanks: 0
Thanked 1 Time in 1 Post
Default so far so good

I think its working

I am running the new Debian (Lenny)

apt-get install fail2ban and edit and add filter

All I did was edit the stock
Quote:
/etc/fail2ban/jail.conf
file and add in additional jail.

here is what I did in my jail.conf file. You can note the regular psotfix entry above mine. I just copied that one and added my name and retrys to 3 (make sure you enable)
Quote:
[postfix]

enabled = true
port = smtp,ssmtp
filter = postfix
logpath = /var/log/mail.log

[postfix-spamers550]

enabled = true
port = smtp,ssmtp
filter = postfix
logpath = /var/log/mail.log
maxretry = 3
I called it postfix-spamers550 sorta wanted a name that represents it best. It will refine over time then I copied the regular postfix filter in the
Quote:
/etc/fail2ban/filter.d
directory and resaved it as
Quote:
postfix-spamers550
here it is
Quote:
# Fail2Ban configuration file
#
# Author: Michael Angel
#
# $Revision: 1 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the Recipient address rejected: User unknown in
# local recipient table failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}?(?P<host>\S+)
# Values: TEXT
#
#
failregex = reject: RCPT from (.*)\[<HOST>\]: 550
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
Nice and simple then I restarted everything

now I have one domain that gets hit like crazy and I moved it over to this test server and have had it running for at least a hour now and traffic has slowed down.. i mean I can actualy cat the mail.log |tail end of it and it does not move like it did

I am still worried that therre is something I am not thinking of that blocking after 3 tries is gunna cause

Last edited by frank2; 18th November 2008 at 06:50. Reason: post my files
Reply With Quote
The Following User Says Thank You to frank2 For This Useful Post:
madmucho (18th November 2008)
  #4  
Old 18th November 2008, 13:24
madmucho madmucho is offline
Senior Member
 
Join Date: Oct 2006
Location: Czech republic, Karlovy Vary
Posts: 158
Thanks: 81
Thanked 11 Times in 11 Posts
Send a message via ICQ to madmucho
Default Thank you

Im blocking similar atack using ssh jail, i will add this on my mandriva servers, thank you for your time.

Guys du u using pernament or temp blocking? I use pernament and my host.deny is quite large :-) can be this integrated into DB (Mysql or Pg) ?
Reply With Quote
  #5  
Old 19th November 2008, 09:49
madmucho madmucho is offline
Senior Member
 
Join Date: Oct 2006
Location: Czech republic, Karlovy Vary
Posts: 158
Thanks: 81
Thanked 11 Times in 11 Posts
Send a message via ICQ to madmucho
Default Testing fail2ban recepie

Hi all, i set this rule to fail2ban and modified failregex for some smtp codes, recepie is from fail2ban wiki page.
550 relayng
450 mailbox isnt on server
554 relayng transaction

now i testing this in my env.
Code:
failregex = reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1
            reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1
            reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1
Reply With Quote
  #6  
Old 19th November 2008, 15:50
frank2 frank2 is offline
Junior Member
 
Join Date: Nov 2008
Posts: 6
Thanks: 0
Thanked 1 Time in 1 Post
Default

Quote:
failregex = reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1
reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1
reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1

Can I do this in one file. I was not sure so I did a seperate file

I know one thing is for sure . just doing 554 and 550 is working sooo nice. My traffic has slowed down large!. Now I only do this temp 50 mins or so.. i noticed in my logs I was getting alot of already banned. Maybe thats why you run yours permently?

Hows that working out for you. do you get more hits that way. How are the complaints .. Have you lost anymail..

I was thinking of upping the temp time to say a full day beyond that I fear eventualy it could be a ligit email. I have mine testing on a test server I moved over some light traffic domains. One company gets alot of international stuff

Quote:
2008-11-19 08:37:36,745 fail2ban.actions: WARNING [postfix-spamers550] Ban 124.120.191.2
2008-11-19 08:37:37,741 fail2ban.actions: WARNING [postfix] Ban 124.120.191.2
2008-11-19 08:38:49,757 fail2ban.actions: WARNING [postfix] Unban 189.104.220.232
2008-11-19 08:38:49,765 fail2ban.actions: WARNING [postfix-spamers550] Unban 189.104.220.232
2008-11-19 08:39:22,789 fail2ban.actions: WARNING [postfix-spamers550] Ban 61.170.197.7
2008-11-19 08:39:23,785 fail2ban.actions: WARNING [postfix] Ban 61.170.197.7
2008-11-19 08:42:29,801 fail2ban.actions: WARNING [postfix] Ban 221.200.232.222
2008-11-19 08:42:29,805 fail2ban.actions: WARNING [postfix-spamers550] Ban 221.200.232.222
2008-11-19 08:46:28,817 fail2ban.actions: WARNING [postfix] Ban 201.230.186.103
2008-11-19 08:46:28,821 fail2ban.actions: WARNING [postfix-spamers550] Ban 201.230.186.103
If the ipaddress or fake spoofs are common I figure they make it to the lists but if they are tottaly fake random generated info then I could one day miss a important email that would make someone mad ..

Overall the fail2ban with what I did is making a huge diffrence.
Reply With Quote
Reply

Bookmarks

Tags
fail2ban postfix spam

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Undelivered Mail Returned to Sender Error202 General 5 7th May 2009 12:14
localhost postfix/master: fatal: bind 127.0.0.1 port 125: Permission denied g18c Installation/Configuration 4 24th March 2009 18:39
CentoS doesn't send the emails vaio1 Installation/Configuration 18 5th November 2008 18:51
Centos 4.4 32bit Hangs, High Server load 3cwired_com Server Operation 11 16th November 2006 16:47
Verify email setup meekish Installation/Configuration 28 27th October 2006 16:36


All times are GMT +2. The time now is 16:27.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.