Protect against postfix AUTH DoS attacks
I have tons of connect from unknown...
and lost connection after AUTH from
unknown...
in my mail.log
. Since some weeks this entries are flooding my
logcheck notifications and I also want to block that stupid guys who try to
enter my postfix authentication.
In my mail.log
file and also in the email generated by logchecker I see tons
of these entries:
...
Jan 12 07:47:06 HOSTNAME postfix/smtpd[24764]: connect from unknown[193.189.117.147]
Jan 12 07:47:07 HOSTNAME postfix/smtpd[24764]: lost connection after AUTH from unknown[193.189.117.147]
Jan 12 07:47:07 HOSTNAME postfix/smtpd[24764]: disconnect from unknown[193.189.117.147]
Jan 12 07:49:38 HOSTNAME postfix/smtpd[24764]: connect from unknown[193.189.117.147]
Jan 12 07:49:39 HOSTNAME postfix/smtpd[24764]: lost connection after AUTH from unknown[193.189.117.147]
Jan 12 07:49:39 HOSTNAME postfix/smtpd[24764]: disconnect from unknown[193.189.117.147]
Jan 12 07:52:09 HOSTNAME postfix/smtpd[31711]: connect from unknown[193.189.117.147]
Jan 12 07:52:09 HOSTNAME postfix/smtpd[31711]: lost connection after AUTH from unknown[193.189.117.147]
Jan 12 07:52:09 HOSTNAME postfix/smtpd[31711]: disconnect from unknown[193.189.117.147]
...
The easiest way to block these atacks is using fail2ban.
Install fail2ban
If you haven’t done yet, you have to install fail2ban:
sudo apt-get install fail2ban
Configure fail2ban for postfix-auth
If you want fail2ban check the postfix authentication part, you have to add the
following section to the end of /etc/fail2ban/jail.local
:
[postfix-auth]
enabled = true
filter = postfix.auth
action = iptables-multiport[name=postfix,
port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
# sendmail[name=Postfix, dest=you@mail.com]
logpath = /var/log/mail.log
Create new postfix auth filter
To add the specific filter you have to create a new file
/etc/fail2ban/filter.d/postfix.auth.conf
with the following content:
[Definition]
failregex = lost connection after AUTH from (.*)\[\]
ignoreregex =
Finish fail2ban configuration
At the end you just have to restart fail2ban:
/etc/init.d/fail2ban restart