[CentOS] Problem with mail server: stop flooding with fail2ban ?

Wed Mar 31 20:04:53 UTC 2021
David Hrbáč <david-lists at hrbac.cz>

Hello NIki,

Juste enable postfix-sasl in jail.conf:

[postfix-sasl]

filter   = postfix[mode=auth]
port     = smtp,465,submission,imap,imaps,pop3,pop3s
logpath  = %(postfix_log)s
backend  = %(postfix_backend)s
enabled = true
maxretry = 3
findtime = 172800
bantime = 3600

And enable recidive too:

[recidive]

logpath  = /var/log/fail2ban.log
banaction = %(banaction_allports)s
bantime  = 1mo
findtime = 1w
enabled  = true

Add ignoreip = 127.0.0.1 and your jumpoints :)

Regards,
DH

po 29. 3. 2021 v 21:31 odesílatel Nicolas Kovacs <info at microlinux.fr>
napsal:

> Hi,
>
> My main mail server is running CentOS 7 with Postfix and Dovecot.
>
> Last week I was surprised to see that Postfix had some troubles on this
> machine, according to Icinga. I took a peek at the logs:
>
> # journalctl -p err
> Mar 28 04:37:02 sd-151768 postfix/smtpd[2786]: fatal: no SASL
> authentication
> mechanisms
> Mar 28 04:37:02 sd-151768 postfix/smtpd[2788]: fatal: no SASL
> authentication
> mechanisms
> Mar 28 04:37:02 sd-151768 postfix/smtpd[2790]: fatal: no SASL
> authentication
> mechanisms
> Mar 28 04:37:02 sd-151768 postfix/smtpd[2792]: fatal: no SASL
> authentication
> mechanisms
> Mar 28 04:37:02 sd-151768 postfix/smtpd[2794]: fatal: no SASL
> authentication
> mechanisms
> ...
>
> And in /var/log/maillog I found a tsunami of these:
>
> Mar 28 03:18:33 sd-151768 postfix/smtpd[29589]: warning:
> unknown[45.227.253.115]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
> Mar 28 03:18:33 sd-151768 postfix/smtpd[29589]: lost connection after AUTH
> from
> unknown[45.227.253.115]
> Mar 28 03:18:33 sd-151768 postfix/smtpd[29589]: disconnect from
> unknown[45.227.253.115]
>
> My first reaction was to manually ban the IP addresses / networks which
> caused
> the flood, using my firewall:
>
> # firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source
> address='45.227.253.0/24' reject"
> # firewall-cmd --reload
>
> I'm already using fail2ban in conjunction with firewalld to prevent brute
> force
> SSH attacks.
>
> Q: can I use it in a similar configuration to stop Postfix from getting
> flooded
> and brought down to its knees?
>
> Thanks & cheers from the sunny South of France,
>
> Niki
>
> --
> Microlinux - Solutions informatiques durables
> 7, place de l'église - 30730 Montpezat
> Site : https://www.microlinux.fr
> Blog : https://blog.microlinux.fr
> Mail : info at microlinux.fr
> Tél. : 04 66 63 10 32
> Mob. : 06 51 80 12 12
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>