Protect against postfix AUTH DoS attacks

I have tons of connect from unknown... and lost connection after AUTH from unknown... in my mail.log. Since some weeks this entries are flooding my logcheck notifications and I also want to block that stupid guys who try to enter my postfix authentication. In my mail.log file and also in the email generated by logchecker I see tons of these entries:

...
Jan 12 07:47:06 HOSTNAME postfix/smtpd[24764]: connect from unknown[193.189.117.147]
Jan 12 07:47:07 HOSTNAME postfix/smtpd[24764]: lost connection after AUTH from unknown[193.189.117.147]
Jan 12 07:47:07 HOSTNAME postfix/smtpd[24764]: disconnect from unknown[193.189.117.147]
Jan 12 07:49:38 HOSTNAME postfix/smtpd[24764]: connect from unknown[193.189.117.147]
Jan 12 07:49:39 HOSTNAME postfix/smtpd[24764]: lost connection after AUTH from unknown[193.189.117.147]
Jan 12 07:49:39 HOSTNAME postfix/smtpd[24764]: disconnect from unknown[193.189.117.147]
Jan 12 07:52:09 HOSTNAME postfix/smtpd[31711]: connect from unknown[193.189.117.147]
Jan 12 07:52:09 HOSTNAME postfix/smtpd[31711]: lost connection after AUTH from unknown[193.189.117.147]
Jan 12 07:52:09 HOSTNAME postfix/smtpd[31711]: disconnect from unknown[193.189.117.147]
...

The easiest way to block these atacks is using fail2ban.

Install fail2ban

If you haven’t done yet, you have to install fail2ban:

sudo apt-get install fail2ban

Configure fail2ban for postfix-auth

If you want fail2ban check the postfix authentication part, you have to add the following section to the end of /etc/fail2ban/jail.local:

[postfix-auth]
enabled     = true
filter      = postfix.auth
action      = iptables-multiport[name=postfix,
port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
#           sendmail[name=Postfix, dest=you@mail.com]
logpath     = /var/log/mail.log

Create new postfix auth filter

To add the specific filter you have to create a new file /etc/fail2ban/filter.d/postfix.auth.conf with the following content:

[Definition]
failregex = lost connection after AUTH from (.*)\[\]
ignoreregex =

Finish fail2ban configuration

At the end you just have to restart fail2ban:

/etc/init.d/fail2ban restart
comments powered by Disqus