Re: [SSHGuard-users] sshguard-1.7.0 and Postfix

[Gerard S. <car...@ou...>]

On Fri, 30 Sep 2016 06:40:20 -0400, Jim Seymour stated:

>On Fri, 30 Sep 2016 10:13:44 +0000
>Gerard Seibert <car...@ou...> wrote:
>
>[snip]
>> 
>> While the IP address will change, the action is never blocked by
>> sshguard. Shouldn't sshguard recognize this as an attack and block
>> it?  
>
>I should certainly hope not.  If one took to blackholing every system
>on the 'net that had wonky DNS, they'd have a significant portion
>blocked a significant amount of the time.
>
>It may be in conjunction with an attack, but, those log entries, in and
>of themselves, do not suggest an attack.
>
>If you do not wish to accept email from such sources (I would not, but
>that's a personal/corporate/site preferance), you can use one of the
>appropriate Postfix config directives.

You are certainly entitled to your opinion; however, I feel that the
number of legitimate sites failing reverse dns is trivial. You will
notice the "whois" output below. I know no one in Vietnam and feel quite
confident in stating that this was an example of an attempt to hack into
my mail system. As I stated, I have found several hacks like this
before, with different IPs of course. I was advised to use the
following in my postfix config file:
"reject_unknown_reverse_client_hostname". I will be checking the log
file judiciously to see if in fact any legitimate sites are being
blocked.

Thanks for your response.

~ $ whois 118.71.251.67
% IANA WHOIS server
% for more information on IANA, visit http://www.iana.org
% This query returned 1 object

refer:        whois.apnic.net

inetnum:      118.0.0.0 - 118.255.255.255
organisation: APNIC
status:       ALLOCATED

whois:        whois.apnic.net

changed:      2007-01
source:       IANA

% [whois.apnic.net]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

% Information related to '118.71.240.0 - 118.71.255.255'

inetnum:        118.71.240.0 - 118.71.255.255
netname:        fpt-net
descr:          Vung dia chi IP cap cho dich vu IPTV tai Hai Phong
country:        vn
admin-c:        fhig1-ap
tech-c:         fhig1-ap
status:         ASSIGNED NON-PORTABLE
mnt-by:         maint-vn-fpt
changed:        hm-...@vn... 20080923
source:         APNIC

role:           FPT HANOI IPADMIN GROUP
address:        48 Van Bao, Ba Dinh
address:        Ha Noi
country:        VN
phone:          +84-4-7601060
fax-no:         +84-4-7262163
e-mail:         fte...@fp...
remarks:        send spam reports to fte...@fp...
admin-c:        TPV1-AP
tech-c:         NTT9-AP
nic-hdl:        FHIG1-AP
notify:         hm-...@vn...
mnt-by:         MAINT-VN-FPT
changed:        hm-...@vn... 20090325
changed:        hm-...@ap... 20111114
changed:        hm-...@vn... 20141113
source:         APNIC

% This query was served by the APNIC Whois Service version
1.69.1-APNICv1r0 (UNDEFINED)

-- 
Carmel