Seems like failtoban would've dealt with this ... DoS and log storage filler better

And if I need to run failtoban then is there really any point to crowdsec?

2025-06-30T01:40:22-07:00 [1:crowdsec1:crowdsec1] time="2025-06-30T08:40:22Z" level=info msg="Ip 81.30.107.67 performed 'crowdsecurity/postfix-non-smtp-command' (1 events over 0s) at 2025-06-30 08:40:22.032615581 +0000 UTC"
2025-06-30T01:40:22-07:00 [1:crowdsec1:crowdsec1] time="2025-06-30T08:40:22Z" level=info msg="(localhost/crowdsec) crowdsecurity/postfix-non-smtp-command by ip 81.30.107.67 (IR/215930) : 8m ban on Ip 81.30.107.67"
2025-07-01T19:40:23-07:00 [1:crowdsec1:crowdsec1] time="2025-07-02T02:40:23Z" level=info msg="Ip 81.30.107.177 performed 'crowdsecurity/postfix-non-smtp-command' (1 events over 0s) at 2025-07-02 02:40:23.282585287 +0000 UTC"
2025-07-01T19:40:24-07:00 [1:crowdsec1:crowdsec1] time="2025-07-02T02:40:24Z" level=info msg="(localhost/crowdsec) crowdsecurity/postfix-non-smtp-command by ip 81.30.107.177 (IR/215930) : 4m ban on Ip 81.30.107.177"
2025-07-01T20:21:10-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.70]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=nataly
2025-07-01T20:21:11-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.130]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=narsil
2025-07-01T20:21:33-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.89]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=pedidos
2025-07-01T20:21:38-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.173]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=1111
2025-07-01T20:21:55-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.29]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=davidm
2025-07-01T20:22:07-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.142]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=wangxin
2025-07-01T20:23:10-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.201]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=rudi
2025-07-01T20:23:48-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.121]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=jocelyn
2025-07-01T20:24:26-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.94]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=serge2
2025-07-01T20:24:39-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.40]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=partage
2025-07-01T20:24:49-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.177]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=badboy
2025-07-01T20:27:00-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.168]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=qwe
2025-07-01T20:27:23-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.119]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=doraemon
2025-07-01T20:27:28-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.64]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=contactos
2025-07-01T20:27:43-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.145]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=avahi
2025-07-01T20:28:35-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.109]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=jcg
2025-07-01T20:28:45-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.153]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=zorro
2025-07-01T20:29:17-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.104]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=edm
2025-07-01T20:31:09-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.194]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=bm
2025-07-01T20:31:21-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.205]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=marcello
2025-07-01T20:32:25-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.43]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=pgl
2025-07-01T20:32:30-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.115]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=mobil
2025-07-01T20:33:18-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.174]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=fm
2025-07-01T20:33:33-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.49]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=arbeit
2025-07-01T20:33:46-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.189]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=testeteste
2025-07-01T20:33:54-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.195]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=casting
2025-07-01T20:34:02-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.146]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=belgorod
2025-07-01T20:34:29-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.125]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=sslwebmaster
2025-07-01T20:34:31-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.33]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=shevchenko
2025-07-01T20:34:42-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.67]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=command
2025-07-01T20:34:43-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.136]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=cao
2025-07-01T20:34:52-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.159]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=rcastro
2025-07-01T20:36:34-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.160]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=sissa
2025-07-01T20:37:41-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.185]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=asshole
2025-07-01T20:38:05-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.130]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=sales1
2025-07-01T20:38:24-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.24]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=host26
2025-07-01T20:38:31-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.177]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=info3
2025-07-01T20:38:44-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.173]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=emb
2025-07-01T20:38:44-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.38]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=sevastopol
2025-07-01T20:38:47-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.121]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=treasurer
2025-07-01T20:39:27-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.201]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=rs
2025-07-01T20:39:34-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.94]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=red5
2025-07-01T20:40:15-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.142]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=rsvp
2025-07-01T20:41:02-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.21]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=nhc
2025-07-01T20:41:07-07:00 [1:mail1:rspamd] (controller) <5t8s4f>; map; rspamd_map_dns_callback: cannot resolve sa-update.surbl.org: server fail
2025-07-01T20:41:16-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.149]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=abe
2025-07-01T20:42:39-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.145]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=musteri
2025-07-01T20:44:15-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.119]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=prueba
2025-07-01T20:44:37-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.153]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=eduardo
2025-07-01T20:46:53-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.205]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=quynh
2025-07-01T20:47:31-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.194]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=galaxy
2025-07-01T20:48:08-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.195]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=konfigurator
2025-07-01T20:48:41-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.109]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=audit
2025-07-01T20:48:44-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.189]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=pavlin
2025-07-01T20:49:19-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.90]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=heads
2025-07-01T20:49:52-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.29]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=avdesk
2025-07-01T20:49:53-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.136]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=humas
2025-07-01T20:49:58-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.49]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=delete
2025-07-01T20:50:10-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.168]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=comune
2025-07-01T20:50:21-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.89]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=val
2025-07-01T20:50:31-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.159]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=bn
2025-07-01T20:51:24-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.104]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=charlesr
2025-07-01T20:51:27-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.43]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=inter2
2025-07-01T20:52:48-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.160]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=111
2025-07-01T20:52:54-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.125]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=wpsadmin
2025-07-01T20:53:05-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.146]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=notary
2025-07-01T20:53:12-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.33]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=hippopotamus
2025-07-01T20:53:23-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.115]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=herbert
2025-07-01T20:53:30-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.94]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=radojicic
2025-07-01T20:53:57-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.70]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=skt
2025-07-01T20:54:04-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.38]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=idc123zxc
2025-07-01T20:54:17-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.121]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=ms365
2025-07-01T20:54:41-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.173]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=media-1
2025-07-01T20:54:56-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.130]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=kumi
2025-07-01T20:55:34-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.64]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=samba
2025-07-01T20:55:43-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.149]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=tomczak
2025-07-01T20:56:04-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.201]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=melanie
2025-07-01T20:56:35-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.185]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=crs
2025-07-01T20:56:38-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.24]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=technician
2025-07-01T20:57:03-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.145]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=myth
2025-07-01T20:59:12-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.142]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=media2
2025-07-01T21:00:23-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.153]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=dport
2025-07-01T21:00:36-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.205]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=brianna
2025-07-01T21:02:37-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.174]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=watermelon
2025-07-01T21:02:53-07:00 [1:mail1:rspamd] (controller) <1jqufq>; monitored; rspamd_monitored_propagate_error: servfail on resolving dbl.spamhaus.org, disable object
2025-07-01T21:02:54-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.189]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=devtest
2025-07-01T21:02:56-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.21]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=radon
2025-07-01T21:02:59-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.90]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=pib
2025-07-01T21:03:32-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.195]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=wayne
2025-07-01T21:03:51-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.119]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=onlinestore
2025-07-01T21:03:53-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.194]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=joyce
2025-07-01T21:04:19-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.136]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=aca
2025-07-01T21:05:00-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.159]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=2112
2025-07-01T21:05:04-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.89]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=prepress
2025-07-01T21:06:26-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.67]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=chiara
2025-07-01T21:06:55-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.177]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=bird
2025-07-01T21:06:59-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.168]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=penne
2025-07-01T21:07:41-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.49]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=integracao
2025-07-01T21:08:11-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.94]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=sls
2025-07-01T21:08:33-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.149]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=eugene
1 Like

Crowdsec is able to recognize attacking IP ranges, maybe we just need to enable that feature?

4 Likes

Would seem… helpful.

1 Like

at our level I do not see the interest. if you have an attack you ban the IP, it does it again it bans again

crowdsec maintains a list of badly known IP, in few time you will see there and automatically banned by crowdsec itself

1 Like

This is just an example of the usefulness of a behavioral based reaction to someones unloading a dictionary on my server from a whole subnet, in this case I haven’t looked to see how long they’ve been at it because it’s not a priority, so I just blocked the subnet at the gateway. But they’re still at it according the the gateway logs. The lag before crowdsec adds that subnet to their signatures could be weeks. Failtoban would’ve discouraged them in minutes. I randomly check logs when I can but tools like failtoban make life a lot easier and less hectic. At this point I’m just saying that our official tool for this should be more functional and assistive out of the box.

Hum.

What fail2ban will do something more than crowdsec

Please could you explain. Detail.

I clearly remember failtoban in NS7 banning an ip for failed login attempts for a period of time with the option in the NS7 ui to permaban said ip.
That is literally the above scenario.

Does this help explain what I’m saying? Fail2ban — NethServer 7 Final

To clarify the above. I truncated the log search when I pasted above. There are 10s of thousands of attempts in the logs, I only posted a 100 lines. In the same time period there were 2 reactions from crowdsec. I’m not saying crowdsec isn’t working, I’m saying it isn’t addressing this scenario sufficiently.

are you so sure ?

this is the postfix jail

hmmm… I must have confused incremental and conflated it with copy and paste into my fw. :laughing:

1 Like

I do not understand what you are searching

it pings the smtp server, it has been banned, it starts again it is banned more time again

explain the need, show us a log if it is not banned :stuck_out_tongue:

this is the scenario you have that triggers the ban.

I guess I’m lost, I did exactly that in my original post. It doesn’t seem like I know the words to explain it to you.

I read that and it’s not.

I’m not sure if you’re trolling me or not and I don’t have time for that so I’m stepping away from the keyboard now.

Sorry, I got some troubles and I should go to to test some Lagavulin, rather IT

find the log lines that has triggered your two bans, I am curious

so you are asking to add this log line to the log parser why not

it exists

2025-07-01T20:22:07-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.142]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=wangxin
....
2025-07-01T20:40:15-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.142]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=rsvp
....
2025-07-01T20:59:12-07:00 [1:mail1:postfix/smtpd] warning: unknown[81.30.107.142]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=media2

This is an example the IP 81.30.107.142 has tested 3 times but it waits to test again

20:22:07
20:40:15
20:59:12

it is really difficult, the attempts are long between. Cybersecurity is really complex, attackers are really good

1 Like

With the attack scenario ban-defcon-drop_range we won’t catch that case using the default values as it would need 5 bans from 81.30.107.0/24 in 1 minute. As there were only 2 bans in 2 days it won’t work.

I think a better approach would be to ban after 10 alerts from 81.30.107.0/24 in 5 minutes. With that approach we would have banned that case after the first 10 tries.

But I don’t know how to setup such attack scenario, maybe adapting the ban-defcon-drop_range to be triggered on alerts instead of bans…

honestly I added this to my todo list to make something workable

but

  • we cannot have it enabled if we allow the ban on the local network because everybody will be banned
  • this attack could be also a bit dumb, look the username it tests, maybe it is better to use a firstname.lastname@domain.com and they can play really a long time
  • we could low the 5 attempts
1 Like