Menu
▾
▴
Re: [SSHGuard-users] sshguard sniffing postifx---no odor detected
|
From: <li...@la...> - 2016-05-21 14:01:31
|
Anvil rate limits any behavior, good or bad. But would you want an attacker to have to exceed in my case 60 failures per minute before the attack is stopped? Now you could set the limit lower, but it wouldn't be all that weird for say yahoogroups to dump a pile of mail at once if a few lists suddenly became chatty. In my VPS, I'm the only customer. But in a more typical application, you could have many users getting hit from a list server without any real bad behavior occurring, well other than it might be lunchtime and something is trending. My point is you want to block bad behavior quickly. Anvil just limits floods, good or band. It would be safe to assume a hacker/bot knows the default setting of postfix rate limiting and would stay under the radar. Now that I have a command line means to annoy postfix, I will try a few scenarios of bad behavior and at least you would have the error messages handy should you decide to block based on them. The nice thing about swaks is you only need knowledge of bash scripting. Funny thing about swaks is it knew immediately that a dynamic blocking service had blocked my attempt to send mail to an actual account on the system (as opposed to my open relay attempt). I wonder why a real email client can't do that? Original Message From: Kevin Zheng Sent: Saturday, May 21, 2016 6:25 AM To: ssh...@li... Subject: Re: [SSHGuard-users] sshguard sniffing postifx---no odor detected On 05/20/2016 19:40, li...@la... wrote: > I set up a simple script using swaks to hit my email server with 100 > messages to relay. Since I don't have an open relay, these actions get > flagged by postfix. Eventually the connection got dropped by postfix > anvil, the rate limiter. Best I can tell postfix locks me out for 600 > seconds. > http://www.postfix.org/anvil.8.html It sounds like anvil(8) does the right thing. > In any event, sshguard didn't block me. I grepped all the auth.logs for > the offending IP. (I would have done more email testing but the Peet's > wifi is on a dynamic blocking list!) SSHGuard doesn't know about RCPT TO rejects (yet). We could teach it to. Ultimately, it looks like anvil does what you want, so perhaps just add a rule to block the offender using the firewall when anvil starts to rate-limit? This might potentially be a better option since we won't need attack signatures for every error message that can be generated by a spammer. Thoughts? Best, Kevin -- Kevin Zheng kev...@gm... | ke...@be... | PGP: 0xC22E1090 ------------------------------------------------------------------------------ Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j _______________________________________________ sshguard-users mailing list ssh...@li... https://lists.sourceforge.net/lists/listinfo/sshguard-users |
