Smtp statistics jail for fail2ban

Feature
, ,
1

I noticed a lot of attempts to “send spam” from my Nethserver 7 in my mail.log… for example May 16 23:40:37 assa postfix/anvil[30859]: statistics: max connection rate 1/60s for (smtp:187.191.101.134) at May 16 23:37:16 May 16 23:40:37 assa postfix/anvil[30859]: statistics: max connection count 1 for (smtp:187.191.101.134) at May 16 23:37:16 May 16 23:40:37 assa postfix/anvil[30859]: statistics: max cache size 1 at May 16 23:37:1

I wonder whether a jail in fail2ban for that wouldn’t be great…!!!
I found a thread in another forum discussing such a jail: https://forum.yunohost.org/t/firewall-fail2ban/314/5

@stephdl I have just sent you my whole mail.log logs via email…

2

it seems that this one could be too much restrictive, what do you think mates ?

3

I don’t think so… this line already tells you that there are more attempts than allowed by postfix (see e.g. https://www.cyberciti.biz/faq/postfix-limit-incoming-or-receiving-email-rate/)… or am I wrong?

4

I’m just referring from the pointer you gave Firewall & Fail2Ban - #5 by madmaxlamenace - Support - YunoHost Forum

In this answer the author stated in french that the regex ‘statistics: max connection rate 1/60s’ could be too much restrictive for a mailling list

5

looking this in your log, I can see that it is rarely the same IP which does this log noise, and really not often…I expect about every ten minutes for the short time

It doesn’t look to a ddos or flood attack

6

ok… if you looking for a bit longer time interval (e.g. 2h or 1d) you will however often find an IP that would have been banned…
I guess the reason why the IPs don’t repeat so frequently is again that the message is only logged if the respective IP has tried to reached the limit of postfix already…
hence, I am convinced that these are brute-force attacks… (also because many of the IPs had been already reported to https://www.abuseipdb.com/)

7

what are these IP please, in which logs I can find them

8

sorry for the delay…

In the maillog which I sent you are several such IPs, for example:

  • 47.53.165.67
  • 79.148.239.246
  • 201.151.139.28
  • 41.226.11.226
  • 187.163.143.227
  • 181.55.176.241
    and much more… all these are listed in https://www.abuseipdb.com/ and were at least 3 times in the log (most of them even more than 20 times)! and the log is only about two days…!
    None of these IPs has been banned by the existing jails of nethserver-fail2ban…!

Hence, I will definitely implement such a jail for my server… regardless whether that jail will be implemented in nethserver-fail2an or not…
If you will implement it, I would be happy to test it of course…! :wink:

9

My worries are to ban several good smtp because they might be misconfigured or with some issues.

Do 20 attempts by IP is a brute force or ddos attacks, I don’t think so.

You can do a custom jail and if you have no issues, propose it to be incorporated

1 Like
10

You were completely right…!!! The jail is much too restrictive…! :frowning:
it bans every IP to which one sends more than one email…!!! Hence, it is really nonsense…!

However, I would like to get rid of the spamming attempts/attacks…
Does anyone have an idea? :sweat:

11

You might put here your Custom jail

12

it is basically the same jail as suggested in the forum which I linked above…

[smtpmaxconnection]

enabled  = true
port     = smtp,ssmtp,submission
protocol = tcp
filter   = maxou-smtp-statistics
logpath  = /var/log/maillog*
maxretry = 2

and filter:

[Definition]
failregex = max connection rate 1/60s for \(smtp:<HOST>.*
ignoreregex =

it works great but definitely is much much too strong/restrictive… even if I increase the maxrentry value…

13
1 Like