Debian stretch fail2ban satisfying rule for host not found & rbl

Discussion in 'Tips/Tricks/Mods' started by, Oct 5, 2017.

  1. ISPConfig Developer ISPConfig Developer

    If you have a huge amount of entries like
    118028 Oct  5 13:48:19 host postfix/smtpd[12048]: NOQUEUE: reject: RCPT from[]: 450 4.7.1 <exch01.olestage.local>: Helo command rejected: Host not found; from=<> to=<[email protected]> proto=ESMTP helo=<exch01.olestage.local>
    in your and wonder why fail2ban doesn't ban them... it's because the rule is not made for host not found having actual data in it.
    There are improved rulesets for version 0.10/0.11 though.

    Also this might save you some requests / volume on RBL services which usually permit a limited free usage.

    create a custom file
    # Fail2Ban filter for selected Postfix SMTP rejections
    # Read common prefixes. If any customizations available -- read them from
    # common.local
    before = common.conf
    _daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds]
    failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$
                ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 Client host rejected: cannot find your hostname, (\[\S*\]); from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
                ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 <\S*>: Helo command rejected: Host not found;.*$
                ^%(__prefix_line)sNOQUEUE: reject: EHLO from \S+\[<HOST>\]: 504 5\.5\.2 <\S+>: Helo command rejected: need fully-qualified hostname;
                ^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[<HOST>\]: 550 5\.1\.1 .*$
                ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.1\.8 <\S*>: Sender address rejected: Domain not found; from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
                ^%(__prefix_line)simproper command pipelining after \S+ from [^[]*\[<HOST>\]:?$
    # Author: Cyril Jaquier
    which is basically a copy of the debian shipped version except improved Host-Not-Found rule

    Add this to your
    enabled = true
    port = smtp
    filter = postfix-hnf
    logpath = /var/log/mail.log
    maxretry = 2
    bantime = 10800
    enabled = true
    port = smtp
    filter = postfix-rbl
    logpath = /var/log/mail.log
    maxretry = 2 
    bantime = 10800
    you might want to adjust bantime, default is pretty low 600

    gently reload fail2ban
    service fail2ban reload
    and check your logfile for growing bans and reduced DNS lookups from your server
    tail -f /var/log/fail2ban.log
    till likes this.
  2. ISPConfig Developer ISPConfig Developer

    to get rid of Relay access denied spamming
    ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 454 4\.7\.1 <\S*>: Relay access denied;.*$

Share This Page