Nethserver 7.9 Postfix-ddos

Good morning,
I noticed that on my Fail2ban Dashboard Postfix-ddos attacks are high. Is it possible to limit them?

Thank you

1 Like

@a.magnoli

Hello Andrea

And Welcome to the NethServer community!

Attacks are per se “attacks”, no one wants or needs them, but idiots still try. It’s not possible to stop these attacks, unless you outsource your mail. The attacks will still happen, but it’s no more your problem.

Then again, Fail2ban is handling these attacks very well (On my systems I see that often), so why bother? True, these idiots use a little bandwidth by probing, but so what?

Now, if you personally know one of these attackers, maybe if you ask nicely? Only Joking!!!
As these guys generally use global botnets of “Zombie” PCs (Hacked machines on the Internet at their command), it’s hard to stop the whole Internet!

My 2 cents
Andy

I agree with @Andy_Wismer . In general it is your awareness of these attacks that annoys you. Fail2ban is doing its job. Don’t let them get into your mind!

:slight_smile:

You can ask on who’s attacking you if they please stop. You think this is unlikely to happen? Me too…

Fail2Ban is helping you to defend your postfix from DDOS, but it’s like a storm: usually you can’t stop it, slow it, avoid it. It comes. You can only keep calm, reinforce doors and windows, keep waiting.

In the same way something/someone outside there it’s throwing useless data. Unplug the cable will work (they will not reach your installation again) but it is something you don’t want.
Fail2Ban is collecting all the offenders Ip addresses, catalogue them and throw incoming traffic form these to the trash. Won’t stop them, but at least will mitigate the issue.

Please, can you check in the fail2ban log if the attackers are banned with the postfix-ddos jails, if yes, please forget it, if no then please report, it is a bug we need to hit

It’s just fail2ban doing its job, so it is just annoying but not harmful.

For us they usually appeared continuously for 1-2 days and then a long pause… after 2 weeks when the ban expired, sometimes the same IPs appeared again, sometimes there were no repeated attempt.

Later these actually disappeared after moving the whole network behind a pfSense (virtual) router and configuring pfBlocker-NG to block IP ranges based on blacklists.

Nethserver also has a similar feature (I never used it in production yet): Threat Shield

Note:
Blocking half the internet by using all the available blacklists may eventually block the good guys too.
So be careful by selecting the blacklists, and also configure whitelist(s).

3 Likes

Thread Shield AKA another list

This is my setup, okay?

Last few days I see an increased volume of openvpn attacks. (100+ mails from F2ban for openvpn PER DAY , meaning at least 300+ tries for connecting to openvpn)
Just happy with F2B doing it’s job…

Hi @robb

As with SSL, using an obscure port has no disadvantages (Besides a bit more typing in the CLI) when doing OpenVPN. I often use eg. 1196 or something similiar…

It does have the advantage of reducing the attacks in the range of 10-90%!!! :slight_smile:

After all, an OpenVPN is either a RoadWarrior, or another Site, both members of “the chosen few” allowed to use OpenVPN… It’s not a “public” OpenVPN.

Changing ports is however NOT an option for publically accessible Mail systems, as port 25 is globally used to transfer mail… (smtp). Postfix, is due to smartphone use also difficult to change.

In all cases, fail2ban must also do it’s job!

My 2 cents
Andy