fail2ban
------------
Stop SMTP AUTH Flood from Spammers
After some time, the spammer knew that he cannot get through my spam filter. This bad actor started flooding my email server with SMTP AUTH connections. In my /var/log/mail.log file, I can find the following messages.
Dec 14 09:58:37 email postfix/smtpd[22095]: connect from unknown[117.86.35.119] Dec 14 09:58:37 email postfix/smtpd[22119]: lost connection after AUTH from unknown[114.232.141.99] Dec 14 09:58:37 email postfix/smtpd[22119]: disconnect from unknown[114.232.141.99] ehlo=1 auth=0/1 commands=1/2 Dec 14 09:58:37 email postfix/smtpd[22119]: connect from unknown[180.120.191.91] Dec 14 09:58:38 email postfix/smtpd[22095]: lost connection after AUTH from unknown[117.86.35.119] Dec 14 09:58:38 email postfix/smtpd[22095]: disconnect from unknown[117.86.35.119] ehlo=1 auth=0/1 commands=1/2 Dec 14 09:58:38 email postfix/smtpd[22119]: lost connection after AUTH from unknown[180.120.191.91] Dec 14 09:58:38 email postfix/smtpd[22119]: disconnect from unknown[180.120.191.91] ehlo=1 auth=0/1 commands=1/2 Dec 14 09:58:38 email postfix/smtpd[22095]: connect from unknown[49.67.68.34] Dec 14 09:58:39 email postfix/smtpd[22106]: lost connection after AUTH from unknown[180.120.192.199] Dec 14 09:58:39 email postfix/smtpd[22106]: disconnect from unknown[180.120.192.199] ehlo=1 auth=0/1 commands=1/2 Dec 14 09:58:39 email postfix/smtpd[22095]: lost connection after AUTH from unknown[49.67.68.34] Dec 14 09:58:39 email postfix/smtpd[22095]: disconnect from unknown[49.67.68.34] ehlo=1 auth=0/1 commands=1/2 Dec 14 09:58:39 email postfix/smtpd[22119]: connect from unknown[121.226.62.16] Dec 14 09:58:39 email postfix/smtpd[22119]: lost connection after AUTH from unknown[121.226.62.16] Dec 14 09:58:39 email postfix/smtpd[22119]: disconnect from unknown[121.226.62.16] ehlo=1 auth=0/1 commands=1/2 Dec 14 09:58:39 email postfix/smtpd[22106]: connect from unknown[58.221.55.21] Dec 14 09:58:40 email postfix/smtpd[22106]: lost connection after AUTH from unknown[58.221.55.21] Dec 14 09:58:40 email postfix/smtpd[22106]: disconnect from unknown[58.221.55.21] ehlo=1 auth=0/1 commands=1/2 Dec 14 09:58:47 email postfix/smtpd[22095]: connect from unknown[121.232.65.223] Dec 14 09:58:47 email postfix/smtpd[22095]: lost connection after AUTH from unknown[121.232.65.223] Dec 14 09:58:47 email postfix/smtpd[22095]: disconnect from unknown[121.232.65.223] ehlo=1 auth=0/1 commands=1/2
Postfix is designed to run even under stressful conditions. It uses a limited amount of memory, so such attacks are much less effective. However, I don’t want them to appear in my mail log and we should save smtpd processes for legitimiate SMTP clients, instead of wasting time dealing with spambots. To stop this kind of flood attack, you can use fail2ban, which is a set of server and client programs to limit brute force authentication attempts. Install fail2ban from default Ubuntu repository.
yum -y install fail2ban
After it’s installed, it will be automatically started, as can be seen with:
systemctl status fail2ban
The fail2ban-server program included in fail2ban monitors log files and issues ban/unban command. By default, it would ban a client’s IP address for 10 minutes if the client failed authentication 5 times. The ban is done by adding iptables firewall rules. You can check iptables rules by running the following command.
sudo iptables -L
To enable fail2ban on Postifx SMTP AUTH attack, add the following lines in # vi /etc/fail2ban/jail.local file. If the file doesn’t exist, then create this file.
[postfix-flood-attack] enabled = true bantime = 10m filter = postfix-flood-attack action = iptables-multiport[name=postfix, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp] logpath = /var/log/mail.log
You can change the bantime to something like 30m or 12h to ban the bad actor for longer time. If you would like to whitelist your own IP address, add the following line to tell fail2ban to ignore your IP address. Replace 12.34.56.78 with your own IP address. Multiple IP addresses are separated by spaces.
ignoreip = 127.0.0.1/8 ::1 12.34.56.78
By default, the allowed max number of failure it 5 times. After 5 failures, the client will be banned. To specify a customized number of failures, add the following line. Change the number to your liking.
maxretry = 4
Save and close the file. Then create the filter rule file.
vi /etc/fail2ban/filter.d/postfix-flood-attack.conf
In this file, we specify that if the “lost connection after AUTH from” is found, then ban that IP address.
[Definition] failregex = lost connection after AUTH from (.*)\[<HOST>\] ignoreregex =
Save and close the file. Restart fail2ban the changes to take effect.
systemctl restart fail2ban
In the fail2ban log file (/var/log/fail2ban.log), I can find the message like below, which indicates the IP address 114.223.221.55 has been banned because it failed authentication 5 times.
2018-12-14 09:52:15,598 fail2ban.filter [21897]: INFO [postfix-flood-attack] Found 114.223.211.55 - 2018-12-14 09:52:15 2018-12-14 09:52:16,485 fail2ban.filter [21897]: INFO [postfix-flood-attack] Found 114.223.211.55 - 2018-12-14 09:52:16 2018-12-14 09:52:20,864 fail2ban.filter [21897]: INFO [postfix-flood-attack] Found 114.223.211.55 - 2018-12-14 09:52:20 2018-12-14 09:52:21,601 fail2ban.filter [21897]: INFO [postfix-flood-attack] Found 114.223.211.55 - 2018-12-14 09:52:21 2018-12-14 09:52:22,102 fail2ban.filter [21897]: INFO [postfix-flood-attack] Found 114.223.211.55 - 2018-12-14 09:52:22 2018-12-14 09:52:22,544 fail2ban.actions [21897]: NOTICE [postfix-flood-attack] Ban 114.223.211.55
I can also check my iptables.
sudo iptables -L
Output:
Chain f2b-postfix (1 references) target prot opt source destination REJECT all -- 195.140.231.114.broad.nt.js.dynamic.163data.com.cn anywhere reject-with icmp-port-unreachable RETURN all -- anywhere anywhere
This indicates fail2ban has set up a iptables rule that reject connection from 195.140.231.114.broad.nt.js.dynamic.163data.com.cn, which is a hostname is used by the spammer.
If you would like to manually block an IP address, run the following command. Replace 12.34.56.78 with the IP address you want to block.
iptables -I INPUT -s 12.34.56.78 -j DROP
If you use UFW (iptables frontend), then run
ufw insert 1 deny from 12.34.56.78 to any
How To Stop Repeat Senders Who Failed Postfix Check
Some spammers use automated tools to send spam. They ignore the Postfix reject message and continue sending spam. For example, sometimes I can see the following message in Postfix summary report.
504 5.5.2 : Helo command rejected: need fully-qualified hostname; from=<123123@linuxbabe.com> to=<martinlujan997@gmail.com> proto=ESMTP helo= (total: 1) 1 185.191.228.36 504 5.5.2 : Helo command rejected: need fully-qualified hostname; from=<123456@linuxbabe.com> to=<martinlujan997@gmail.com> proto=ESMTP helo= (total: 1) 1 185.191.228.36 504 5.5.2 : Helo command rejected: need fully-qualified hostname; from=<3vrgfqblaepzfoieznbfntmrpqyix@linuxbabe.com> to=<martinlujan997@gmail.com> proto=ESMTP helo= (total: 1) 1 185.191.228.36 504 5.5.2 : Helo command rejected: need fully-qualified hostname; from=<6khdgqr6j@linuxbabe.com> to=<martinlujan997@gmail.com> proto=ESMTP helo= (total: 1) 1 185.191.228.36 504 5.5.2 : Helo command rejected: need fully-qualified hostname; from=<a1b2c3d4@linuxbabe.com> to=<martinlujan997@gmail.com> proto=ESMTP helo= (total: 1) 1 185.191.228.36 504 5.5.2 : Helo command rejected: need fully-qualified hostname; from=<abuse@linuxbabe.com> to=<martinlujan997@gmail.com> proto=ESMTP helo= (total: 1)
This spammer continues sending spam, ignoring the Postfix reject message: Helo command rejected: need fully-qualified hostname. To stop this kind of behavior, we can also use Fail2ban by adding the following lines in /etc/fail2ban/jail.local file.
[postfix] enabled = true maxretry = 3 bantime = 1h filter = postfix logpath = /var/log/mail.log
The [postfix] jail will use the builtin filter shipped with Fail2ban (/etc/fail2ban/filter.d/postfix.conf). Save and close the file. Then restart Fail2ban.
systemctl restart fail2ban
-------