Postfix Blacklisting IPs (connection spam in mail.log)

Discussion in 'Installation/Configuration' started by niemand-glaumy, Feb 8, 2022.

  1. Hey, I have a mailserver issue and while trying to fix it, I tailed mail.log.
    There I get login spam from a few specific IPs (I guess they're trying to bruteforce or something?):
    Code:
    Feb  8 15:12:34 web postfix/smtpd[12690]: disconnect from unknown[5.34.205.118] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
    Feb  8 15:12:36 web postfix/smtpd[12338]: warning: unknown[5.34.205.118]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Feb  8 15:12:36 web postfix/smtpd[12338]: disconnect from unknown[5.34.205.118] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
    Feb  8 15:12:37 web postfix/smtpd[12331]: connect from unknown[5.34.205.118]
    Is there a way I can blacklist those IPs and deny any connection completely? Because I can't even read the errors I want to fix, they pass by so fast. :D

    And is there a way to DDoS for free so I can retaliate? :3
     
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    You can use fail2ban to catch those and block the IP addrs with repeated failures. There are other tools as well, but that is quick to setup.
     
    niemand-glaumy likes this.
  3. Thank you! It seems like fail2ban is already actively running. At least I have recent lines in ispconfig > Monitor > fail2ban Log. Can I find the settings somewhere?

    Edit: It seems adding an IP to a jail won't stop it from trying to connect and spamming like posted above.
    Command used:
    Code:
    fail2ban-client -vvv set postfix banip 5.34.205.118
     
    Last edited: Feb 8, 2022
  4. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    You can do quite a lot with fail2ban, but you have to configure it, it does almost nothing out of the box (only monitors ssh login failures, iirc), and the perfect server guides include very minimal additional configuration.
    Most custom config is done in /etc/fail2ban/jail.local; you might also edit fail2ban.local and add files to /etc/fail2ban/filter.d/ (or possibly /etc/fail2ban/action.d/). It looks like there is now a /etc/fail2ban/jail.d/ you can/should check as well (looking at a Debian 11 host here).
    What do you see from "fail2ban-client get postfix banip"? You might start with checking /var/log/fail2ban.log, and even restart fail2ban to see what shows there.
     
    niemand-glaumy likes this.
  5. recin

    recin Member

    I think you have to block the IP under postfix-sasl jail:
    Code:
    fail2ban-client -vvv set postfix banip 5.34.205.118
     
    niemand-glaumy likes this.
  6. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    It should prevent, but only for the bantime of the jail used.
    Enable recidive jail, set that jails bantime to 1 week and add IP to recidive jail.
    Code:
    fail2ban-client set recidive banip 5.34.205.118
     
    niemand-glaumy likes this.

Share This Page