Menu
▾
▴
Re: [SSHGuard-users] sshguard-1.7.0 and Postfix
|
From: Jim S. <jse...@Li...> - 2016-09-30 12:43:33
|
On Fri, 30 Sep 2016 11:38:58 +0000
Gerard Seibert <car...@ou...> wrote:
[snip]
>
> You are certainly entitled to your opinion; however, I feel that the
> number of legitimate sites failing reverse dns is trivial.
Hardly. IME the number of people administering networks that are
actually competent at it and conscientious about their job are
outnumbered by the number that are not either one, the other or both.
From my personal server at home, from yesterday, alone, there were 254
SMTP connections where the hostname did not resolve to the correct, or
any, IP address. 79 of those were unique hostnames, from at least
twenty TLDs from all over the world.
> You will
> notice the "whois" output below. I know no one in Vietnam
There's no way for sshguard to "know" that :)
> and feel
> quite confident in stating that this was an example of an attempt to
> hack into my mail system.
Via Postfix' SMTPD daemon? *snort* Won't bloody likely encounter much
success with that.
In any event: There's nothing in the signature of those log lines to
suggest sshguard, or any other IDS, should take action. As I wrote,
earlier: Those log lines, in and of themselves, are merely reflective
of poorly set up DNS. That doesn't mean somebody's not trying to find
a vulnerability in your server, merely that *those* log lines don't
make the case that they are.
In the network admin/security world we tend to abide by Hanlon's Razor:
"Never attribute to malice that which is adequately explained by
stupidity."
(Sometimes substituting "incompetence" for "stupidity.")
[snip]
> I was advised to use
> the following in my postfix config file:
> "reject_unknown_reverse_client_hostname".
That is the weaker, and, therefor, less-likely-damaging of the two
restrictions you might have added. I'll leave it at that, being as
Postfix configuration is OT for this mailing list.
[snip]
>
> Thanks for your response.
You're welcome,
Jim
--
Note: My mail server employs *very* aggressive anti-spam
filtering. If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.
|
