fail2ban maybe help ease postfix from spammers

Discussion in 'Tips/Tricks/Mods' started by frank2, Nov 18, 2008.

?

Is this over kill?

Poll closed Nov 13, 2009.
  1. No way! good idea! every bit helps Stop spamers dead

    42.9%
  2. Yes 550 happens you will lose mail and regret it!

    0 vote(s)
    0.0%
  3. Sure maybe limit 4 attempts on a small host would really help!

    14.3%
  4. Tell me how that works out. If it works I want that!

    42.9%
  1. frank2

    frank2 New Member

    I been playing with finding a way to reduce spam. I am debian user who has a ispconfig setup and noticed fail2ban has added some support for email

    but nothing to deal with
    "rejected: User unknown in local recipient table" messages

    Now I am not a expert. But one thing I know is security usualy causes lotsa problems when you try to go the extra mile.

    so I thought I would run it by some of you before I actualy sit down and start running it ..

    i will run it on one domain first to see if it makes a diffrence.

    I am unsure if it will effect email forwards though? anyones thoughts

    here is the filter I found on the net showing a 554 error from mail log

    here is what I am wanting to do with it is form it to block 550 errors and I could use some help
    so before I start losing mail and screw things up what do you think?!

    now I figure from my logs it looks like they try like 4-5 times.. how many ligit ones get through 4 5 mistakes and even if they do a delay is no big deal is it?

    not sure what I am talking about.

    then take a look at some of these from my mail.log these evil name harvesting bots eating up cpu time, memory and bandwidth. we can go on all day how bad spam is. ever little bit will helf x 10 fold So I am crying for some tips here!
     
  2. _X_

    _X_ New Member

    i got rid of those with fail2ban.

    simply copy jail.conf to jail.local

    cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

    edit jail.local

    enable:
    [postix]
    [courierauth]
    [sasl]
    and if you want you can enable [couriersmtp]
    and if you need
    [apache]
    [ssh]
    [proftpd]

    i didnt create custom filter and stuff ... used default values and it works.
    set retry to 3 times and you can set seconds as much as you want.

    Used Ubuntu 8.04 and after last update I hope fail2ban will work after restart and if not after restart of server:
    uninstall fail2ban
    install fail2ban
    on ubuntu:
    apt-get purge fail2ban
    apt-get install fail2ban
    to confirm that it is running:
    /etc/init.d/fail2ban restart

    no need to edit jail.local since file will not be deleted on uninstall.
     
  3. frank2

    frank2 New Member

    so far so good

    I think its working

    I am running the new Debian (Lenny)

    apt-get install fail2ban and edit and add filter

    All I did was edit the stock
    file and add in additional jail.

    here is what I did in my jail.conf file. You can note the regular psotfix entry above mine. I just copied that one and added my name and retrys to 3 (make sure you enable)
    I called it postfix-spamers550 sorta wanted a name that represents it best. It will refine over time then I copied the regular postfix filter in the
    directory and resaved it as
    here it is
    Nice and simple then I restarted everything

    now I have one domain that gets hit like crazy and I moved it over to this test server and have had it running for at least a hour now and traffic has slowed down.. i mean I can actualy cat the mail.log |tail end of it and it does not move like it did

    I am still worried that therre is something I am not thinking of that blocking after 3 tries is gunna cause
     
    Last edited: Nov 18, 2008
  4. madmucho

    madmucho ISPConfig Developer

    Thank you

    Im blocking similar atack using ssh jail, i will add this on my mandriva servers, thank you for your time.

    Guys du u using pernament or temp blocking? I use pernament and my host.deny is quite large :) can be this integrated into DB (Mysql or Pg) ?
     
  5. madmucho

    madmucho ISPConfig Developer

    Testing fail2ban recepie

    Hi all, i set this rule to fail2ban and modified failregex for some smtp codes, recepie is from fail2ban wiki page.
    550 relayng
    450 mailbox isnt on server
    554 relayng transaction

    now i testing this in my env.
    Code:
    failregex = reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1
                reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1
                reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1
     
  6. frank2

    frank2 New Member


    Can I do this in one file. I was not sure so I did a seperate file

    I know one thing is for sure . just doing 554 and 550 is working sooo nice. My traffic has slowed down large!. Now I only do this temp 50 mins or so.. i noticed in my logs I was getting alot of already banned. Maybe thats why you run yours permently?

    Hows that working out for you. do you get more hits that way. How are the complaints .. Have you lost anymail..

    I was thinking of upping the temp time to say a full day beyond that I fear eventualy it could be a ligit email. I have mine testing on a test server I moved over some light traffic domains. One company gets alot of international stuff

    If the ipaddress or fake spoofs are common I figure they make it to the lists but if they are tottaly fake random generated info then I could one day miss a important email that would make someone mad ..

    Overall the fail2ban with what I did is making a huge diffrence.
     
  7. madmucho

    madmucho ISPConfig Developer

    very nice

    On my testing server (my whole domain :) ) all work very good now, i dont have strong internet connection, testing server is on ADSL, before this rule i see slow trafic, but now is faster, from morning when i apply rule i have 4 ip banned from postfix rule i made some info modification, whois for domain nothing special, same i have for ssh.

    Code:
    [postfix-tcpwrapper]
    
    enabled  = true
    port     = smtp,ssmtp
    filter   = postfix
    action   = hostsdeny
               mail-whois[name=Postfix, dest=xxx.xxx@xx.xx]
    filter   = postfix
    logpath  = /var/log/mail/info.log
    This rule is mandriva specific, timeouts banntime atd. is defined globaly.
     
  8. frank2

    frank2 New Member

    as you can see roughly its banning alot of traffic that normaly hits me hard .. always seems like 20 bots are hitting me at once .. now they are being stopped after a few tries. and as you can see on the already banned msgs that having it longer then 10 mins (the default ) is pretty important. I am watching it closly. I added more domains to this today so I am watching randomly greping to see if it looks ligit or not ..

    Anyone know how long I could hold the data .. I don't want to hold forever just at most a day or so but I also don't want to crash fail2ban might not be ment for it.. i will have to do some more reading on this wounderful tool
     

Share This Page