From: Cristian M. <c.m...@ap...> - 2013-10-29 13:12:56
|
Hi, I'm using this tool http://www.gufonero.com/postfix/check_auth_log.html to parse postfix logs. It's a tool to limit damages done by spammers using stolen smtp credentials. If too many successful authentication within a timeframe from a particular user are detected, the user gets disabled If too many authentication within a timeframe from a particular user AND from different IPs are detected the user is disabled The tool works but is slow and inefficient. I already have fail2ban in place, is it possible to configure it for the same purpose? -- Cristian Mammoli APRA SISTEMI srl Via Brodolini,6 Jesi (AN) tel dir. +390731719822 Web www.apra.it e-mail c.m...@ap... ################################################### Potete aprire una richiesta tecnica anche dal sito http://supporto.apra.it oppure inviando una mail sup...@ap... #################################################### |
From: John F. <jo...@er...> - 2013-10-29 20:22:29
|
On 29/10/13 13:46, Cristian Mammoli wrote: > Hi, I'm using this tool > http://www.gufonero.com/postfix/check_auth_log.html to parse postfix logs. > > It's a tool to limit damages done by spammers using stolen smtp credentials. > > If too many successful authentication within a timeframe from a > particular user are detected, the user gets disabled > > If too many authentication within a timeframe from a particular user AND > from different IPs are detected the user is disabled > > The tool works but is slow and inefficient. I already have fail2ban in > place, is it possible to configure it for the same purpose? > > Cristian, that would be interesting to see if something like that is supported or could be supported by fail2ban, which would save running both tools. I am the author of check_auth_log, which I wrote for my own low volume mail servers and thought then to share in case others found it useful. I have also some changes which are not published yet, though the basic concepts remain the same as in the published version. I would be interested to receive your feedback even off-list about the slowness and inefficiencies you found (contextualized to your volumes of authentications) so that I consider any improvements. thanks John |
From: Yaroslav H. <li...@on...> - 2013-10-29 21:10:19
|
On Tue, 29 Oct 2013, John Fawcett wrote: > On 29/10/13 13:46, Cristian Mammoli wrote: > > Hi, I'm using this tool > > http://www.gufonero.com/postfix/check_auth_log.html to parse postfix logs. > > It's a tool to limit damages done by spammers using stolen smtp credentials. > > If too many successful authentication within a timeframe from a > > particular user are detected, the user gets disabled > > If too many authentication within a timeframe from a particular user AND > > from different IPs are detected the user is disabled > > The tool works but is slow and inefficient. I already have fail2ban in > > place, is it possible to configure it for the same purpose? > Cristian, > that would be interesting to see if something like that is supported or > could be supported by fail2ban, which would save running both tools. Hi guys -- thanks Cristian for the idea and thanks John for chiming in! since I am not running postfix myself -- and have little to know about its setup: - could you provide sample log lines for successful logins? I bet it should be easy to implement a filter for it - as for the action, I guess it should just use postmap command to add or remove users from e.g. /etc/postfix/smtp_auth_access upon ban/unban actions with similar customizations to what John's setup does to take that into effect? so in general sounds very feasible -- just needs to be done ;) -- Yaroslav O. Halchenko, Ph.D. http://neuro.debian.net http://www.pymvpa.org http://www.fail2ban.org Senior Research Associate, Psychological and Brain Sciences Dept. Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755 Phone: +1 (603) 646-9834 Fax: +1 (603) 646-1419 WWW: http://www.linkedin.com/in/yarik |
From: Daniel B. <dan...@in...> - 2013-10-29 22:03:36
|
On 30/10/13 08:10, Yaroslav Halchenko wrote: > so in general sounds very feasible -- just needs to be done ;) yep: https://github.com/fail2ban/fail2ban/issues/67 I've got partially there but I need to merge with the current code base. |
From: Cristian M. <c.m...@ap...> - 2013-10-30 07:59:52
|
On 29/10/2013 22:10, Yaroslav Halchenko wrote: > Hi guys -- thanks Cristian for the idea and thanks John for chiming in! > > since I am not running postfix myself -- and have little to know about its setup: > > - could you provide sample log lines for successful logins? I bet > it should be easy to implement a filter for it Sure: Oct 30 08:55:42 mail postfix/smtpd[3836]: 282FC14C012B: client=hostXXX-XXX-static.XXX-XXX-provider.tld[XXX.XXX.XXX.XXX], sasl_method=LOGIN, sasl_username=USERNAME > - as for the action, I guess it should just use postmap command to > add or remove users from e.g. /etc/postfix/smtp_auth_access upon > ban/unban actions with similar customizations to what John's setup does > to take that into effect? Actually John's script can update a postfix access_list or run a SQL command to disable the username. Since I use mysql to store usernames and passwords I use the second method: update mailbox set active=0 where username=USERNAME -- Cristian Mammoli APRA SISTEMI srl Via Brodolini,6 Jesi (AN) tel dir. +390731719822 Web www.apra.it e-mail c.m...@ap... ################################################### Potete aprire una richiesta tecnica anche dal sito http://supporto.apra.it oppure inviando una mail sup...@ap... #################################################### |
From: Fabian W. <fa...@we...> - 2013-12-02 22:51:17
|
Hello Cristian On 29.10.2013 13:46, Cristian Mammoli wrote: > Hi, I'm using this tool > http://www.gufonero.com/postfix/check_auth_log.html to parse postfix logs. > > It's a tool to limit damages done by spammers using stolen smtp credentials. > The tool works but is slow and inefficient. I already have fail2ban in > place, is it possible to configure it for the same purpose? I have created something like this in fail2ban with calling a script from the action (custom action). It does not quite what you are asking, but it can take actions only if the source IP address is from a foreign country (based on whois output). I have two different action, one does just ban like regular f2b, and the other one would disable SMTP accounts. I have published it at [1], maybe it may inspire you to use this idea and adapt for Postfix. [1] http://www.wenks.ch/fabian/fail2ban/action-with-script.html bye Fabian |