DNSBL and stuff

Request and discuss new features you would like to have.
Post Reply
SupportOU
Posts: 47
Joined: 12 Sep 2016 18:47

DNSBL and stuff

Post by SupportOU »

Hola,

Anyone wants to share their postfix relay restrictions? And anyone set up postscreen to complement postfix? I use abuseat.org, spamhaus and barracuda for DNSBL. Anyone has some more/better?

spamhaus needs full recursion though...

See if we can work out a good postfix defense, 1st line of defense should be the cheapest in cycles.

Grtz,
Ronald
nicola.piazzi
Posts: 388
Joined: 23 Apr 2015 09:45

Re: DNSBL and stuff

Post by nicola.piazzi »

Take a look to this

viewtopic.php?f=14&t=1965
wilbourne
Posts: 52
Joined: 22 Sep 2016 09:04

Re: DNSBL and stuff

Post by wilbourne »

To reject spam before it's filter by mailscanner or spamassasin
put this on file /etc/postfix/main.cf :

Code: Select all

smtpd_client_restrictions = 
permit_sasl_authenticated 
reject_rbl_client sbl.spamhaus.org 
reject_rbl_client cbl.abuseat.org 
reject_rbl_client all.spam-rbl.fr 
reject_rbl_client bl.spamcop.net
reject_rbl_client relays.mail-abuse.org 
reject_rbl_client sbl-xbl.spamhaus.org 
reject_rbl_client zen.spamhaus.org,
reject_rbl_client b.barracudacentral.org

smtpd_recipient_restrictions =
permit_sasl_authenticated 
reject_unauth_destination 
reject_non_fqdn_recipient 
reject_unknown_sender_domain 
reject_non_fqdn_sender
reject_unknown_recipient_domain 
reject_invalid_helo_hostname 
reject_invalid_hostname 
reject_unlisted_recipient 
reject_unlisted_sender 
reject_non_fqdn_helo_hostname 
reject_unauth_pipelining 
reject_unknown_reverse_client_hostname 
reject_non_fqdn_hostname
and reload postfix
/etc/init.d/postfix reload

To refuse all advertisements by simply rejecting the message from the server:

create file /etc/postfix/header_checks

and put this :

Code: Select all

/^List-Unsubscribe: .*/ REJECT Mailing-List: the server refuses all newsletters
/^X-Unsubscribe: .*/ REJECT Mailing-List: the server refuses all newsletters
and add this line on /etc/postfix/main.cf

Code: Select all

header_checks = regexp:/etc/postfix/header_checks

postmap /etc/postfix/header_checks
and reload postfix
Last edited by wilbourne on 14 Nov 2016 15:09, edited 1 time in total.
nicola.piazzi
Posts: 388
Joined: 23 Apr 2015 09:45

Re: DNSBL and stuff

Post by nicola.piazzi »

reject_rbl_client all.spam-rbl.fr

all.spam-rbl.fr seems to be empty
wilbourne
Posts: 52
Joined: 22 Sep 2016 09:04

Re: DNSBL and stuff

Post by wilbourne »

Thank's for your reply you can change all.spam-rbl.fr by an other

here is a link with a lot of rbl active list

http://www.anti-abuse.org/multi-rbl-check/


And with this configuration you can install fail2ban and create a rule to ban some "unknown connect from"

Do not hesitate to share your solution.
nicola.piazzi
Posts: 388
Joined: 23 Apr 2015 09:45

Re: DNSBL and stuff

Post by nicola.piazzi »

The most complete RBL CHECK is

http://multirbl.valli.org
SupportOU
Posts: 47
Joined: 12 Sep 2016 18:47

Re: DNSBL and stuff

Post by SupportOU »

Guys!

Thanks for all the info!

Still got some reports from end users complaining about the ransomware plague that is upon us. In EFA the UnOfficial Sigs are included from Malwarepatrol and securiteinfo. Now, malwarepatrol also offers a premium subscription, but that's $3900 a year, which is lot of money (for me).

Do you have any idea if paying for subscriptions from any vendor is beneficial in catching ransomware mails? MP claims to have list updates by the hour.

Any ideas welcome!

Grtz,
Ronald

And thanks again for sharing
wilbourne
Posts: 52
Joined: 22 Sep 2016 09:04

Re: DNSBL and stuff

Post by wilbourne »

I think this part requires a lot of manual work. There are alternatives to malware patrol.
You can take a look at this site
http://malc0de.com/bl/
https://www.servernoobs.com/how-to-inst ... etect-lmd/
https://www.projecthoneypot.org/
SupportOU
Posts: 47
Joined: 12 Sep 2016 18:47

Re: DNSBL and stuff

Post by SupportOU »

Hi Wilbourne,

I checked some parameters:
"With Postfix 2.0 snapshot releases, "reject_unlisted_recipient" is called "check_recipient_maps". Postfix 2.1 understands both forms."
I use check_recipient_maps with an ldap lookup to my ad to see if a recipient exists in my domain.

"reject_unlisted_sender"
Why use this one? If I read the postfix docs, this claims that the sender results to "known" if specified in a map. Which is for an internet receiving MX no desirable.

"reject_unknown_reverse_client_hostname"
Reject the request when the client IP address has no address->name mapping.
This is a weaker restriction than the reject_unknown_client_hostname feature, which requires not only that the address->name and name->address mappings exist, but also that the two mappings reproduce the client IP address.
The unknown_client_reject_code parameter specifies the response code for rejected requests (default: 450). The reply is always 450 in case the address->name lookup failed due to a temporary problem.
This feature is available in Postfix 2.3 and later.
So I'd say use reject_unknown_client_hostname instead.

The header checks, well, mailing lists are allowed on my system, otherwise I get upset users.

Honeypot: I don't believe this adds any defense, since most are zero days
Malware Detect: Part of ExtremeShok unofficials Sigs, which are already part of EFA

Malcode: I could use this BlackList_IPs list and put it in a hash map and have postfix look into that list and reject 'em. But I do think it's more for web sites serving malware, so this should be in Squid somewhere. That'll make more sense.

Looking forward to your comments.
Grtz,
Ronald
wilbourne
Posts: 52
Joined: 22 Sep 2016 09:04

Re: DNSBL and stuff

Post by wilbourne »

thank's for you reply

with reject_unlisted_recipient i don't need to configure an ldap lookup because postfix check "my destination" and if my destination "send user unknown" so postfix reject the message with code 550.

conditions for reject_unlisted_recipient:
An address is always considered "known" when it matches a virtual(5) alias or a canonical(5) mapping.
The recipient domain matches $mydestination, $inet_interfaces or $proxy_interfaces, but the recipient is not listed in $local_recipient_maps, and $local_recipient_maps is not null.
The recipient domain matches $virtual_alias_domains but the recipient is not listed in $virtual_alias_maps.
The recipient domain matches $virtual_mailbox_domains but the recipient is not listed in $virtual_mailbox_maps, and $virtual_mailbox_maps is not null.
The recipient domain matches $relay_domains but the recipient is not listed in $relay_recipient_maps, and $relay_recipient_maps is not null.

reject unlisted sender = If the sender's domain does not have an MX or A record or the MX is malformed .


You can also add this plugin to your server
http://www.scrolloutf1.com/rbl
SupportOU
Posts: 47
Joined: 12 Sep 2016 18:47

Re: DNSBL and stuff

Post by SupportOU »

Hi Wilbourne,

reject_unknown_client_hostname is different than reject_unlisted_sender ? It was my understanding that reject_unknown_client_hostname blocks all that has no DNS name mapping or PTR to go with that.

I ll have a look at scrollout, thanks!
wilbourne
Posts: 52
Joined: 22 Sep 2016 09:04

Re: DNSBL and stuff

Post by wilbourne »

hi supportou,

Sorry, I have make a mistake on my last post.

reject_unlisted_sender = Reject Outbond sender that are listed in our domain. (This rule looks for the existence of the user in the MAIL FROM, as soon as it is in our domain.)

In my case I receive a lot mail whose address are scan@mydomain or document@mydomain and other .... because in postfix if you not configured antispoofing. The sender can add in mailfrom mydomain and he can bypass the rbl check and other control so with this rule i can permit who can use @mydomain and other are rejected.

Sorry for my english
stusmith
Posts: 63
Joined: 27 Jan 2017 15:24

Re: DNSBL and stuff

Post by stusmith »

Interesting. I just managed to register on the forums. I've been replacing our current appliance ( a Calyptix Security box ) with the EFA-Project and I've been very happy with it. There are a few things left to do. I had managed to get fail2ban working with postfix. I created two jails, postfix and postfix-rbl, which correspond to clients that attempt to authenticate and fail ( saslauth errors ) and clients that are blocked by a dnsrbl. I enabled the sshd jail as well and tested that.

The next step was to enable a jail for the web portal and munin so that I can allow users to manage their quarantines from outside of my network. We have a fair number of mobile users who are accustomed to being able to release items from quarantine without having a VPN connection. Calyptix handles "security" for this operation through obfuscation - meaning that they generate a long string of random characters that is appended to a url and then a per-user hash is appended to that in order to generate a 'password-free' link to access a quarantine. It's not great, and I would say that it isn't terrible except that the appliance DOES NOT SUPPORT SSL/TLS/SMTPS. Thankfully, they support HTTPS but their strategy seems to be rather than acting as a mail relay, to act as a transparent proxy? Anyway...

It was working very well until yesterday when I upgraded from fail2ban-0.9.4-2.e16 to fail2ban-0.9.6-1.e16. The result was that I receive a ton of failures in my logs stating that the jail can't be initialized and no backend could be found. Currently, the backend for postfix and for sshd is set as 'auto'. I have tried 'systemd' without success as well.

I found the following link: https://github.com/fail2ban/fail2ban/issues/1150 which describes the problem pretty well. I had assumed I was using pynotify, but maybe that isn't the case? At any rate, I tried:


Code: Select all

[ssmith@foster-spam fail2ban]$ sudo pip install python-systemd
DEPRECATION: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of pip will drop support for Python 2.6
Collecting python-systemd
/usr/lib/python2.6/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:318: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#snimissingwarning.
  SNIMissingWarning
/usr/lib/python2.6/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
  Downloading python-systemd-0.0.9.tar.gz
Installing collected packages: python-systemd
  Running setup.py install for python-systemd ... done
Successfully installed python-systemd-0.0.9
[ssmith@foster-spam fail2ban]$ sudo fail2ban-client reload
ERROR  NOK: ("Failed to initialize any backend for Jail 'sshd'",)
... lot o'errors...
ERROR  NOK: ("Failed to initialize any backend for Jail 'postfix'",)
... lot o'errors...
ERROR  NOK: ("Failed to initialize any backend for Jail 'postfix-rbl'",)
... lot o'errors...
[ssmith@foster-spam fail2ban]$ python -c 'from systemd import journal; print("OK")'
Traceback (most recent call last):
  File "<string>", line 1, in <module>
ImportError: cannot import name journal
So I thought that I'd roll back the transaction:

Code: Select all

[ssmith@foster-spam fail2ban]$ sudo yum history list all
Loaded plugins: fastestmirror, security
ID     | Login user               | Date and time    | Action(s)      | Altered
-------------------------------------------------------------------------------
    27 |  <ssmith>                | 2017-02-20 22:30 | Update         |    1
    26 |  <ssmith>                | 2017-02-17 18:59 | Install        |    1
    25 |  <ssmith>                | 2017-02-08 18:28 | Install        |    1
    24 |  <ssmith>                | 2017-02-06 18:12 | Install        |    1 EE
    ...
[ssmith@foster-spam fail2ban]$ sudo yum history info 27
Loaded plugins: fastestmirror, security
Transaction ID : 27
Begin time     : Mon Feb 20 22:30:40 2017
Begin rpmdb    : 652:1cde42c3242f60087a0d99cc764e941191d7b8d7
End time       :            22:30:41 2017 (1 seconds)
End rpmdb      : 652:67110175f141329110b6b82bef02b9e44b431912
User           :  <ssmith>
Return-Code    : Success
Command Line   : update
Transaction performed with:
    Installed     rpm-4.8.0-55.el6.x86_64                       @base
    Installed     yum-3.2.29-75.el6.centos.noarch               @updates
    Installed     yum-plugin-fastestmirror-1.1.30-37.el6.noarch @base
Packages Altered:
    Updated fail2ban-0.9.4-2.el6.noarch @epel
    Update           0.9.6-1.el6.noarch @epel
history info
[ssmith@foster-spam fail2ban]$ sudo yum downgrade fail2ban-0.9.4-2.e16.noarch
Loaded plugins: fastestmirror, security
Setting up Downgrade Process
Loading mirror speeds from cached hostfile
 * EFA: dl4.efa-project.org
 * base: mirrors.greenmountainaccess.net
 * epel: mirror.cs.pitt.edu
 * extras: mirrors.centos.webair.com
 * updates: mirror.lug.udel.edu
No package fail2ban-0.9.4-2.e16.noarch available.
Nothing to do


Has anyone else seen this problem? I apologize if I'm posting this in an incorrect location. First post and not terribly familiar with the forums here yet.
wilbourne
Posts: 52
Joined: 22 Sep 2016 09:04

Re: DNSBL and stuff

Post by wilbourne »

stusmith wrote: 21 Feb 2017 12:45 Interesting. I just managed to register on the forums. I've been replacing our current appliance ( a Calyptix Security box ) with the EFA-Project and I've been very happy with it. There are a few things left to do. I had managed to get fail2ban working with postfix. I created two jails, postfix and postfix-rbl, which correspond to clients that attempt to authenticate and fail ( saslauth errors ) and clients that are blocked by a dnsrbl. I enabled the sshd jail as well and tested that.

The next step was to enable a jail for the web portal and munin so that I can allow users to manage their quarantines from outside of my network. We have a fair number of mobile users who are accustomed to being able to release items from quarantine without having a VPN connection. Calyptix handles "security" for this operation through obfuscation - meaning that they generate a long string of random characters that is appended to a url and then a per-user hash is appended to that in order to generate a 'password-free' link to access a quarantine. It's not great, and I would say that it isn't terrible except that the appliance DOES NOT SUPPORT SSL/TLS/SMTPS. Thankfully, they support HTTPS but their strategy seems to be rather than acting as a mail relay, to act as a transparent proxy? Anyway...

It was working very well until yesterday when I upgraded from fail2ban-0.9.4-2.e16 to fail2ban-0.9.6-1.e16. The result was that I receive a ton of failures in my logs stating that the jail can't be initialized and no backend could be found. Currently, the backend for postfix and for sshd is set as 'auto'. I have tried 'systemd' without success as well.

I found the following link: https://github.com/fail2ban/fail2ban/issues/1150 which describes the problem pretty well. I had assumed I was using pynotify, but maybe that isn't the case? At any rate, I tried:


Code: Select all

[ssmith@foster-spam fail2ban]$ sudo pip install python-systemd
DEPRECATION: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of pip will drop support for Python 2.6
Collecting python-systemd
/usr/lib/python2.6/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:318: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#snimissingwarning.
  SNIMissingWarning
/usr/lib/python2.6/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
  Downloading python-systemd-0.0.9.tar.gz
Installing collected packages: python-systemd
  Running setup.py install for python-systemd ... done
Successfully installed python-systemd-0.0.9
[ssmith@foster-spam fail2ban]$ sudo fail2ban-client reload
ERROR  NOK: ("Failed to initialize any backend for Jail 'sshd'",)
... lot o'errors...
ERROR  NOK: ("Failed to initialize any backend for Jail 'postfix'",)
... lot o'errors...
ERROR  NOK: ("Failed to initialize any backend for Jail 'postfix-rbl'",)
... lot o'errors...
[ssmith@foster-spam fail2ban]$ python -c 'from systemd import journal; print("OK")'
Traceback (most recent call last):
  File "<string>", line 1, in <module>
ImportError: cannot import name journal
So I thought that I'd roll back the transaction:

Code: Select all

[ssmith@foster-spam fail2ban]$ sudo yum history list all
Loaded plugins: fastestmirror, security
ID     | Login user               | Date and time    | Action(s)      | Altered
-------------------------------------------------------------------------------
    27 |  <ssmith>                | 2017-02-20 22:30 | Update         |    1
    26 |  <ssmith>                | 2017-02-17 18:59 | Install        |    1
    25 |  <ssmith>                | 2017-02-08 18:28 | Install        |    1
    24 |  <ssmith>                | 2017-02-06 18:12 | Install        |    1 EE
    ...
[ssmith@foster-spam fail2ban]$ sudo yum history info 27
Loaded plugins: fastestmirror, security
Transaction ID : 27
Begin time     : Mon Feb 20 22:30:40 2017
Begin rpmdb    : 652:1cde42c3242f60087a0d99cc764e941191d7b8d7
End time       :            22:30:41 2017 (1 seconds)
End rpmdb      : 652:67110175f141329110b6b82bef02b9e44b431912
User           :  <ssmith>
Return-Code    : Success
Command Line   : update
Transaction performed with:
    Installed     rpm-4.8.0-55.el6.x86_64                       @base
    Installed     yum-3.2.29-75.el6.centos.noarch               @updates
    Installed     yum-plugin-fastestmirror-1.1.30-37.el6.noarch @base
Packages Altered:
    Updated fail2ban-0.9.4-2.el6.noarch @epel
    Update           0.9.6-1.el6.noarch @epel
history info
[ssmith@foster-spam fail2ban]$ sudo yum downgrade fail2ban-0.9.4-2.e16.noarch
Loaded plugins: fastestmirror, security
Setting up Downgrade Process
Loading mirror speeds from cached hostfile
 * EFA: dl4.efa-project.org
 * base: mirrors.greenmountainaccess.net
 * epel: mirror.cs.pitt.edu
 * extras: mirrors.centos.webair.com
 * updates: mirror.lug.udel.edu
No package fail2ban-0.9.4-2.e16.noarch available.
Nothing to do


Has anyone else seen this problem? I apologize if I'm posting this in an incorrect location. First post and not terribly familiar with the forums here yet.

Hi could you post your config file for jail ssh, postfix and postfix-rbl ?
stusmith
Posts: 63
Joined: 27 Jan 2017 15:24

Re: DNSBL and stuff

Post by stusmith »

--EDITED--: fixed a problem with the iptables-allports-log.conf file

Sure, no problem. I fixed the above problem by changing everything from "auto" backend to "pynotify". I also split out the logfiles because it's easier to search when the information is dropped into it's own file. I wanted to make sure that I was tracking the blocked traffic in the event I had to trace down why legitimate messages were not hitting the EFA postfix process.

So far, this thing is crazy efficient. Dropping everything at the MTA level saves SOOOOO much time and effort. There's an error with my unbanning action. It works as expected, iptables just throws out an error -- I think because of the order of the commands. I haven't had a chance to dig into it just yet.

I also enabled the apache jails because I'm allowing access to the EFA from the web so my mobile users can access their quarantines. I realize that I'm crazy strict with my jail setup for postfix authentication failures, I just discovered that the majority of my failed login attempts were coming in ones and twos from places on the other side of the world and decided I'd rather unban clients with legitimate failures that deal with well-timed intrusion attempts.

Breaking out the logging and the rules in iptables that way that I have also allows me to track which hosts are the most persistent in their attempts to connect. My assumption was that a legitimate host being blocked would be more likely to stick out in that scenario. My biggest offender seems to be a Verizon Wireless host that's very spammy. Ha!

/etc/fail2ban/filter.d/postfix.local

Code: Select all

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = postfix

failregex = ^.*smtpd.*\[<HOST>\].*authentication failed

ignoreregex =

[Init]

# "maxlines" is number of log lines to buffer for multi-line regex searches
maxlines = 10

#journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd

# DEV Notes:
#
#   "Failed \S+ for .*? from <HOST>..." failregex uses non-greedy catch-all because
#   it is coming before use of <HOST> which is not hard-anchored at the end as well,
#   and later catch-all's could contain user-provided input, which need to be greedily
#   matched away first.
#
# Author: Cyril Jaquier, Yaroslav Halchenko, Petr Voralek, Daniel Black
/etc/fail2ban/filter.d/postfix-rbl.local

Code: Select all

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = postfix-rbl

failregex = ^.*smtpd.*NOQUEUE: reject.*Client host \[<HOST>\] blocked using

ignoreregex = .*?:PWS3.mxtoolbox.com

[Init]

# "maxlines" is number of log lines to buffer for multi-line regex searches
maxlines = 10

#journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd

# DEV Notes:
#
#   "Failed \S+ for .*? from <HOST>..." failregex uses non-greedy catch-all because
#   it is coming before use of <HOST> which is not hard-anchored at the end as well,
#   and later catch-all's could contain user-provided input, which need to be greedily
#   matched away first.
#
# Author: Cyril Jaquier, Yaroslav Halchenko, Petr Voralek, Daniel Black

/etc/fail2ban/jail.local

Code: Select all

[postfix]

enabled  = true
port     = all
#logpath  = %(postfix_log)s
logpath  = /var/log/maillog
backend  = %(postfix_backend)s
filter   = postfix
findtime = 86400
bantime  = 86400
action   = iptables-allports-log[name=postfix]
maxretry = 2

[postfix-rbl]

enabled  = true
port     = all
#logpath  = %(postfix_log)s
logpath  = /var/log/maillog
backend  = %(postfix_backend)s
filter   = postfix-rbl
maxretry = 1
findtime = 86400
bantime  = 86400
action   = iptables-allports-log[name=postfix-rbl]

/etc/fail2ban/actions.d/iptables-allports-log.conf --EDITED--: fixed a problem with the order of commands so no more annoying log errors

Code: Select all

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified: Yaroslav O. Halchenko <debian@onerussian.com>
#                       made active on all ports from original iptables.conf
#
#

[INCLUDES]

before = iptables-common.conf


[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart = <iptables> -N f2b-<name>
              <iptables> -A f2b-<name> -j <returntype>
              <iptables> -I <chain> -p <protocol> -j f2b-<name>
                <iptables> -N f2b-<name>-log
                <iptables> -A f2b-<name>-log -p <protocol> -j LOG --log-prefix "Firewall.f2b-<name>: " --log-level 4
                <iptables> -A f2b-<name>-log -j <blocktype>

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop =    <iptables> -D f2b-<name>-log -p <protocol> -j LOG --log-prefix "Firewall.f2b-<name>: " --log-level 4
                <iptables> -D f2b-<name>-log -j <blocktype>
                <iptables> -F f2b-<name>-log
                <iptables> -X f2b-<name>-log
             <iptables> -D f2b-<name> -p <protocol> -j f2b-<name>-log
             <iptables> -F f2b-<name>
             <iptables> -X f2b-<name>

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = <iptables> -I f2b-<name> 1 -s <ip> -j f2b-<name>-log

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
#actionunban = <iptables> -D f2b-<name> -s <ip> -j f2b-<name>-log
actionunban = <iptables> -D f2b-<name> -j f2b-<name>-log -s <ip>
              #<iptables> -D f2b-<name>-log -s <ip> -j LOG
              #<iptables> -D f2b-<name>-log -s <ip> -j <blocktype>

[Init]

/etc/rsyslog.d/30-fail2ban.conf

Code: Select all


# /etc/rsyslog.d/30-fail2ban.conf
# -----------------------------------------
# log from all fail2ban service
# -----------------------------------------
#

if $programname startswith_i 'fail2ban' then /var/log/fail2ban.log
#if $msg contains 'fail2ban' then /var/log/fail2ban.log
/etc/rsyslog.d/20-firewall.conf APPENDED

Code: Select all


# /etc/rsyslog.d/20-firewall.conf
# -----------------------------------------
# log from all firewall service
# -----------------------------------------
#

if $programname startswith_i 'Firewall' then /var/log/firewall.log
if $msg contains 'Firewall' then /var/log/firewall.log
/etc/logrotate.d/syslog

Code: Select all

/var/log/unbound.log
/var/log/firewall.log
/var/log/saslauthd.log
/var/log/fail2ban.log
{
    rotate 14
    daily
    missingok
    notifempty
    sharedscripts
    postrotate
        /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
    endscript
}
I also enabled the fail2ban plugin for munin so I can keep track of how much is banned at a time fairly easily.

Code: Select all

sudo ln -s /usr/share/munin/plugins/fail2ban /etc/munin/plugins
sudo muinin-node-configure
sudo service munin-node restart
Finally, I made some scripts that made it easier to search the fail2ban client for lockout or blacklisted IP addresses.

lockout-ips.sh

Code: Select all

#!/bin/sh
sudo fail2ban-client status postfix | sed -r 's/`- Banned IP list:\W*//g' |  sed -e 's/^[\t\0]*//' | sed -rn '7,$s/(([0-9]{1,3}\.){3}[0-9]{1,3})/&\n/pg' | sed -rn 's/^ {1,}//pg' | sort
blacklist-ips.sh

Code: Select all

#!/bin/sh
sudo fail2ban-client status postfix-rbl | sed -r 's/`- Banned IP list:\W*//g' |  sed -e 's/^[\t\0]*//' | sed -rn '7,$s/(([0-9]{1,3}\.){3}[0-9]{1,3})/&\n/pg' | sed -rn 's/^ {1,}//pg' | sort
Last edited by stusmith on 09 Mar 2017 15:57, edited 1 time in total.
stusmith
Posts: 63
Joined: 27 Jan 2017 15:24

Re: DNSBL and stuff

Post by stusmith »

wilbourne wrote: 08 Nov 2016 12:46 To reject spam before it's filter by mailscanner or spamassasin
put this on file /etc/postfix/main.cf :

Code: Select all

smtpd_client_restrictions = 
permit_sasl_authenticated 
reject_rbl_client sbl.spamhaus.org 
reject_rbl_client cbl.abuseat.org 
reject_rbl_client all.spam-rbl.fr 
reject_rbl_client bl.spamcop.net
reject_rbl_client relays.mail-abuse.org 
reject_rbl_client sbl-xbl.spamhaus.org 
reject_rbl_client zen.spamhaus.org,
reject_rbl_client b.barracudacentral.org

smtpd_recipient_restrictions =
permit_sasl_authenticated 
reject_unauth_destination 
reject_non_fqdn_recipient 
reject_unknown_sender_domain 
reject_non_fqdn_sender
reject_unknown_recipient_domain 
reject_invalid_helo_hostname 
reject_invalid_hostname 
reject_unlisted_recipient 
reject_unlisted_sender 
reject_non_fqdn_helo_hostname 
reject_unauth_pipelining 
reject_unknown_reverse_client_hostname 
reject_non_fqdn_hostname
and reload postfix
/etc/init.d/postfix reload

To refuse all advertisements by simply rejecting the message from the server:

create file /etc/postfix/header_checks

and put this :

Code: Select all

/^List-Unsubscribe: .*/ REJECT Mailing-List: the server refuses all newsletters
/^X-Unsubscribe: .*/ REJECT Mailing-List: the server refuses all newsletters
and add this line on /etc/postfix/main.cf

Code: Select all

header_checks = regexp:/etc/postfix/header_checks

postmap /etc/postfix/header_checks
and reload postfix
I liked this idea as well, but since some of my mailing lists are legitimate, I ended up adding a SpamAssassin rule to match these headers as well as a body rule to match a URL with unsubscribe in the text and a value of 2.25 for each of them. In my environment, with my spam threshold set to 4.0, that's usually enough to let well-behaved mailing lists through and block the ones that are poorly behaved.
stusmith
Posts: 63
Joined: 27 Jan 2017 15:24

Re: DNSBL and stuff

Post by stusmith »

SupportOU wrote: 04 Nov 2016 08:19 Hola,

Anyone wants to share their postfix relay restrictions? And anyone set up postscreen to complement postfix? I use abuseat.org, spamhaus and barracuda for DNSBL. Anyone has some more/better?

spamhaus needs full recursion though...

See if we can work out a good postfix defense, 1st line of defense should be the cheapest in cycles.

Grtz,
Ronald
MailSpike is pretty great. I use the ones you've listed and MailSpike and that seems to get most of it. I'm still using SpamCop, but I'm a little more ambivalent about that one.
MikkiMo
Posts: 1
Joined: 24 Apr 2017 16:53

Re: DNSBL and stuff

Post by MikkiMo »

There are a lot of anti-ransomware tools like Malwarebytes Anti-ransomware, Bitdefender CryptoVacine, Kaspersky, TrendMicro but the best protection against various ransomwares is full system backup to external offline hardrive/usb!
upd: also check this site - https://sureshotsoftware.com/guides/globeimposter-2-0/
Post Reply