Page 1 of 1
DNSBL and stuff
Posted: 04 Nov 2016 08:19
by SupportOU
Hola,
Anyone wants to share their postfix relay restrictions? And anyone set up postscreen to complement postfix? I use abuseat.org, spamhaus and barracuda for DNSBL. Anyone has some more/better?
spamhaus needs full recursion though...
See if we can work out a good postfix defense, 1st line of defense should be the cheapest in cycles.
Grtz,
Ronald
Re: DNSBL and stuff
Posted: 08 Nov 2016 09:28
by nicola.piazzi
Re: DNSBL and stuff
Posted: 08 Nov 2016 12:46
by wilbourne
To reject spam before it's filter by mailscanner or spamassasin
put this on file
/etc/postfix/main.cf :
Code: Select all
smtpd_client_restrictions =
permit_sasl_authenticated
reject_rbl_client sbl.spamhaus.org
reject_rbl_client cbl.abuseat.org
reject_rbl_client all.spam-rbl.fr
reject_rbl_client bl.spamcop.net
reject_rbl_client relays.mail-abuse.org
reject_rbl_client sbl-xbl.spamhaus.org
reject_rbl_client zen.spamhaus.org,
reject_rbl_client b.barracudacentral.org
smtpd_recipient_restrictions =
permit_sasl_authenticated
reject_unauth_destination
reject_non_fqdn_recipient
reject_unknown_sender_domain
reject_non_fqdn_sender
reject_unknown_recipient_domain
reject_invalid_helo_hostname
reject_invalid_hostname
reject_unlisted_recipient
reject_unlisted_sender
reject_non_fqdn_helo_hostname
reject_unauth_pipelining
reject_unknown_reverse_client_hostname
reject_non_fqdn_hostname
and reload postfix
/etc/init.d/postfix reload
To refuse all advertisements by simply rejecting the message from the server:
create file
/etc/postfix/header_checks
and put this :
Code: Select all
/^List-Unsubscribe: .*/ REJECT Mailing-List: the server refuses all newsletters
/^X-Unsubscribe: .*/ REJECT Mailing-List: the server refuses all newsletters
and add this line on
/etc/postfix/main.cf
Code: Select all
header_checks = regexp:/etc/postfix/header_checks
postmap /etc/postfix/header_checks
and reload postfix
Re: DNSBL and stuff
Posted: 08 Nov 2016 15:11
by nicola.piazzi
reject_rbl_client all.spam-rbl.fr
all.spam-rbl.fr seems to be empty
Re: DNSBL and stuff
Posted: 09 Nov 2016 09:50
by wilbourne
Thank's for your reply you can change all.spam-rbl.fr by an other
here is a link with a lot of rbl active list
http://www.anti-abuse.org/multi-rbl-check/
And with this configuration you can install fail2ban and create a rule to ban some "unknown connect from"
Do not hesitate to share your solution.
Re: DNSBL and stuff
Posted: 09 Nov 2016 11:17
by nicola.piazzi
The most complete RBL CHECK is
http://multirbl.valli.org
Re: DNSBL and stuff
Posted: 15 Nov 2016 11:56
by SupportOU
Guys!
Thanks for all the info!
Still got some reports from end users complaining about the ransomware plague that is upon us. In EFA the UnOfficial Sigs are included from Malwarepatrol and securiteinfo. Now, malwarepatrol also offers a premium subscription, but that's $3900 a year, which is lot of money (for me).
Do you have any idea if paying for subscriptions from any vendor is beneficial in catching ransomware mails? MP claims to have list updates by the hour.
Any ideas welcome!
Grtz,
Ronald
And thanks again for sharing
Re: DNSBL and stuff
Posted: 15 Nov 2016 21:26
by wilbourne
I think this part requires a lot of manual work. There are alternatives to malware patrol.
You can take a look at this site
http://malc0de.com/bl/
https://www.servernoobs.com/how-to-inst ... etect-lmd/
https://www.projecthoneypot.org/
Re: DNSBL and stuff
Posted: 24 Nov 2016 10:00
by SupportOU
Hi Wilbourne,
I checked some parameters:
"With Postfix 2.0 snapshot releases, "reject_unlisted_recipient" is called "check_recipient_maps". Postfix 2.1 understands both forms."
I use check_recipient_maps with an ldap lookup to my ad to see if a recipient exists in my domain.
"reject_unlisted_sender"
Why use this one? If I read the postfix docs, this claims that the sender results to "known" if specified in a map. Which is for an internet receiving MX no desirable.
"reject_unknown_reverse_client_hostname"
Reject the request when the client IP address has no address->name mapping.
This is a weaker restriction than the reject_unknown_client_hostname feature, which requires not only that the address->name and name->address mappings exist, but also that the two mappings reproduce the client IP address.
The unknown_client_reject_code parameter specifies the response code for rejected requests (default: 450). The reply is always 450 in case the address->name lookup failed due to a temporary problem.
This feature is available in Postfix 2.3 and later.
So I'd say use reject_unknown_client_hostname instead.
The header checks, well, mailing lists are allowed on my system, otherwise I get upset users.
Honeypot: I don't believe this adds any defense, since most are zero days
Malware Detect: Part of ExtremeShok unofficials Sigs, which are already part of EFA
Malcode: I could use this BlackList_IPs list and put it in a hash map and have postfix look into that list and reject 'em. But I do think it's more for web sites serving malware, so this should be in Squid somewhere. That'll make more sense.
Looking forward to your comments.
Grtz,
Ronald
Re: DNSBL and stuff
Posted: 29 Nov 2016 20:29
by wilbourne
thank's for you reply
with reject_unlisted_recipient i don't need to configure an ldap lookup because postfix check "my destination" and if my destination "send user unknown" so postfix reject the message with code 550.
conditions for reject_unlisted_recipient:
An address is always considered "known" when it matches a virtual(5) alias or a canonical(5) mapping.
The recipient domain matches $mydestination, $inet_interfaces or $proxy_interfaces, but the recipient is not listed in $local_recipient_maps, and $local_recipient_maps is not null.
The recipient domain matches $virtual_alias_domains but the recipient is not listed in $virtual_alias_maps.
The recipient domain matches $virtual_mailbox_domains but the recipient is not listed in $virtual_mailbox_maps, and $virtual_mailbox_maps is not null.
The recipient domain matches $relay_domains but the recipient is not listed in $relay_recipient_maps, and $relay_recipient_maps is not null.
reject unlisted sender = If the sender's domain does not have an MX or A record or the MX is malformed .
You can also add this plugin to your server
http://www.scrolloutf1.com/rbl
Re: DNSBL and stuff
Posted: 05 Dec 2016 22:42
by SupportOU
Hi Wilbourne,
reject_unknown_client_hostname is different than reject_unlisted_sender ? It was my understanding that reject_unknown_client_hostname blocks all that has no DNS name mapping or PTR to go with that.
I ll have a look at scrollout, thanks!
Re: DNSBL and stuff
Posted: 06 Dec 2016 17:40
by wilbourne
hi supportou,
Sorry, I have make a mistake on my last post.
reject_unlisted_sender = Reject Outbond sender that are listed in our domain. (This rule looks for the existence of the user in the MAIL FROM, as soon as it is in our domain.)
In my case I receive a lot mail whose address are scan@mydomain or document@mydomain and other .... because in postfix if you not configured antispoofing. The sender can add in mailfrom mydomain and he can bypass the rbl check and other control so with this rule i can permit who can use @mydomain and other are rejected.
Sorry for my english
Re: DNSBL and stuff
Posted: 21 Feb 2017 12:45
by stusmith
Interesting. I just managed to register on the forums. I've been replacing our current appliance ( a Calyptix Security box ) with the EFA-Project and I've been very happy with it. There are a few things left to do. I had managed to get fail2ban working with postfix. I created two jails, postfix and postfix-rbl, which correspond to clients that attempt to authenticate and fail ( saslauth errors ) and clients that are blocked by a dnsrbl. I enabled the sshd jail as well and tested that.
The next step was to enable a jail for the web portal and munin so that I can allow users to manage their quarantines from outside of my network. We have a fair number of mobile users who are accustomed to being able to release items from quarantine without having a VPN connection. Calyptix handles "security" for this operation through obfuscation - meaning that they generate a long string of random characters that is appended to a url and then a per-user hash is appended to that in order to generate a 'password-free' link to access a quarantine. It's not great, and I would say that it isn't terrible except that the appliance DOES NOT SUPPORT SSL/TLS/SMTPS. Thankfully, they support HTTPS but their strategy seems to be rather than acting as a mail relay, to act as a transparent proxy? Anyway...
It was working very well until yesterday when I upgraded from fail2ban-0.9.4-2.e16 to fail2ban-0.9.6-1.e16. The result was that I receive a ton of failures in my logs stating that the jail can't be initialized and no backend could be found. Currently, the backend for postfix and for sshd is set as 'auto'. I have tried 'systemd' without success as well.
I found the following link:
https://github.com/fail2ban/fail2ban/issues/1150 which describes the problem pretty well. I had assumed I was using pynotify, but maybe that isn't the case? At any rate, I tried:
Code: Select all
[ssmith@foster-spam fail2ban]$ sudo pip install python-systemd
DEPRECATION: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of pip will drop support for Python 2.6
Collecting python-systemd
/usr/lib/python2.6/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:318: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#snimissingwarning.
SNIMissingWarning
/usr/lib/python2.6/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning
Downloading python-systemd-0.0.9.tar.gz
Installing collected packages: python-systemd
Running setup.py install for python-systemd ... done
Successfully installed python-systemd-0.0.9
[ssmith@foster-spam fail2ban]$ sudo fail2ban-client reload
ERROR NOK: ("Failed to initialize any backend for Jail 'sshd'",)
... lot o'errors...
ERROR NOK: ("Failed to initialize any backend for Jail 'postfix'",)
... lot o'errors...
ERROR NOK: ("Failed to initialize any backend for Jail 'postfix-rbl'",)
... lot o'errors...
[ssmith@foster-spam fail2ban]$ python -c 'from systemd import journal; print("OK")'
Traceback (most recent call last):
File "<string>", line 1, in <module>
ImportError: cannot import name journal
So I thought that I'd roll back the transaction:
Code: Select all
[ssmith@foster-spam fail2ban]$ sudo yum history list all
Loaded plugins: fastestmirror, security
ID | Login user | Date and time | Action(s) | Altered
-------------------------------------------------------------------------------
27 | <ssmith> | 2017-02-20 22:30 | Update | 1
26 | <ssmith> | 2017-02-17 18:59 | Install | 1
25 | <ssmith> | 2017-02-08 18:28 | Install | 1
24 | <ssmith> | 2017-02-06 18:12 | Install | 1 EE
...
[ssmith@foster-spam fail2ban]$ sudo yum history info 27
Loaded plugins: fastestmirror, security
Transaction ID : 27
Begin time : Mon Feb 20 22:30:40 2017
Begin rpmdb : 652:1cde42c3242f60087a0d99cc764e941191d7b8d7
End time : 22:30:41 2017 (1 seconds)
End rpmdb : 652:67110175f141329110b6b82bef02b9e44b431912
User : <ssmith>
Return-Code : Success
Command Line : update
Transaction performed with:
Installed rpm-4.8.0-55.el6.x86_64 @base
Installed yum-3.2.29-75.el6.centos.noarch @updates
Installed yum-plugin-fastestmirror-1.1.30-37.el6.noarch @base
Packages Altered:
Updated fail2ban-0.9.4-2.el6.noarch @epel
Update 0.9.6-1.el6.noarch @epel
history info
[ssmith@foster-spam fail2ban]$ sudo yum downgrade fail2ban-0.9.4-2.e16.noarch
Loaded plugins: fastestmirror, security
Setting up Downgrade Process
Loading mirror speeds from cached hostfile
* EFA: dl4.efa-project.org
* base: mirrors.greenmountainaccess.net
* epel: mirror.cs.pitt.edu
* extras: mirrors.centos.webair.com
* updates: mirror.lug.udel.edu
No package fail2ban-0.9.4-2.e16.noarch available.
Nothing to do
Has anyone else seen this problem? I apologize if I'm posting this in an incorrect location. First post and not terribly familiar with the forums here yet.
Re: DNSBL and stuff
Posted: 03 Mar 2017 09:46
by wilbourne
stusmith wrote: ↑21 Feb 2017 12:45
Interesting. I just managed to register on the forums. I've been replacing our current appliance ( a Calyptix Security box ) with the EFA-Project and I've been very happy with it. There are a few things left to do. I had managed to get fail2ban working with postfix. I created two jails, postfix and postfix-rbl, which correspond to clients that attempt to authenticate and fail ( saslauth errors ) and clients that are blocked by a dnsrbl. I enabled the sshd jail as well and tested that.
The next step was to enable a jail for the web portal and munin so that I can allow users to manage their quarantines from outside of my network. We have a fair number of mobile users who are accustomed to being able to release items from quarantine without having a VPN connection. Calyptix handles "security" for this operation through obfuscation - meaning that they generate a long string of random characters that is appended to a url and then a per-user hash is appended to that in order to generate a 'password-free' link to access a quarantine. It's not great, and I would say that it isn't terrible except that the appliance DOES NOT SUPPORT SSL/TLS/SMTPS. Thankfully, they support HTTPS but their strategy seems to be rather than acting as a mail relay, to act as a transparent proxy? Anyway...
It was working very well until yesterday when I upgraded from fail2ban-0.9.4-2.e16 to fail2ban-0.9.6-1.e16. The result was that I receive a ton of failures in my logs stating that the jail can't be initialized and no backend could be found. Currently, the backend for postfix and for sshd is set as 'auto'. I have tried 'systemd' without success as well.
I found the following link:
https://github.com/fail2ban/fail2ban/issues/1150 which describes the problem pretty well. I had assumed I was using pynotify, but maybe that isn't the case? At any rate, I tried:
Code: Select all
[ssmith@foster-spam fail2ban]$ sudo pip install python-systemd
DEPRECATION: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of pip will drop support for Python 2.6
Collecting python-systemd
/usr/lib/python2.6/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:318: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#snimissingwarning.
SNIMissingWarning
/usr/lib/python2.6/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning
Downloading python-systemd-0.0.9.tar.gz
Installing collected packages: python-systemd
Running setup.py install for python-systemd ... done
Successfully installed python-systemd-0.0.9
[ssmith@foster-spam fail2ban]$ sudo fail2ban-client reload
ERROR NOK: ("Failed to initialize any backend for Jail 'sshd'",)
... lot o'errors...
ERROR NOK: ("Failed to initialize any backend for Jail 'postfix'",)
... lot o'errors...
ERROR NOK: ("Failed to initialize any backend for Jail 'postfix-rbl'",)
... lot o'errors...
[ssmith@foster-spam fail2ban]$ python -c 'from systemd import journal; print("OK")'
Traceback (most recent call last):
File "<string>", line 1, in <module>
ImportError: cannot import name journal
So I thought that I'd roll back the transaction:
Code: Select all
[ssmith@foster-spam fail2ban]$ sudo yum history list all
Loaded plugins: fastestmirror, security
ID | Login user | Date and time | Action(s) | Altered
-------------------------------------------------------------------------------
27 | <ssmith> | 2017-02-20 22:30 | Update | 1
26 | <ssmith> | 2017-02-17 18:59 | Install | 1
25 | <ssmith> | 2017-02-08 18:28 | Install | 1
24 | <ssmith> | 2017-02-06 18:12 | Install | 1 EE
...
[ssmith@foster-spam fail2ban]$ sudo yum history info 27
Loaded plugins: fastestmirror, security
Transaction ID : 27
Begin time : Mon Feb 20 22:30:40 2017
Begin rpmdb : 652:1cde42c3242f60087a0d99cc764e941191d7b8d7
End time : 22:30:41 2017 (1 seconds)
End rpmdb : 652:67110175f141329110b6b82bef02b9e44b431912
User : <ssmith>
Return-Code : Success
Command Line : update
Transaction performed with:
Installed rpm-4.8.0-55.el6.x86_64 @base
Installed yum-3.2.29-75.el6.centos.noarch @updates
Installed yum-plugin-fastestmirror-1.1.30-37.el6.noarch @base
Packages Altered:
Updated fail2ban-0.9.4-2.el6.noarch @epel
Update 0.9.6-1.el6.noarch @epel
history info
[ssmith@foster-spam fail2ban]$ sudo yum downgrade fail2ban-0.9.4-2.e16.noarch
Loaded plugins: fastestmirror, security
Setting up Downgrade Process
Loading mirror speeds from cached hostfile
* EFA: dl4.efa-project.org
* base: mirrors.greenmountainaccess.net
* epel: mirror.cs.pitt.edu
* extras: mirrors.centos.webair.com
* updates: mirror.lug.udel.edu
No package fail2ban-0.9.4-2.e16.noarch available.
Nothing to do
Has anyone else seen this problem? I apologize if I'm posting this in an incorrect location. First post and not terribly familiar with the forums here yet.
Hi could you post your config file for jail ssh, postfix and postfix-rbl ?
Re: DNSBL and stuff
Posted: 03 Mar 2017 13:33
by stusmith
--EDITED--: fixed a problem with the iptables-allports-log.conf file
Sure, no problem. I fixed the above problem by changing everything from "auto" backend to "pynotify". I also split out the logfiles because it's easier to search when the information is dropped into it's own file. I wanted to make sure that I was tracking the blocked traffic in the event I had to trace down why legitimate messages were not hitting the EFA postfix process.
So far, this thing is crazy efficient. Dropping everything at the MTA level saves SOOOOO much time and effort. There's an error with my unbanning action. It works as expected, iptables just throws out an error -- I think because of the order of the commands. I haven't had a chance to dig into it just yet.
I also enabled the apache jails because I'm allowing access to the EFA from the web so my mobile users can access their quarantines. I realize that I'm crazy strict with my jail setup for postfix authentication failures, I just discovered that the majority of my failed login attempts were coming in ones and twos from places on the other side of the world and decided I'd rather unban clients with legitimate failures that deal with well-timed intrusion attempts.
Breaking out the logging and the rules in iptables that way that I have also allows me to track which hosts are the most persistent in their attempts to connect. My assumption was that a legitimate host being blocked would be more likely to stick out in that scenario. My biggest offender seems to be a Verizon Wireless host that's very spammy. Ha!
/etc/fail2ban/filter.d/postfix.local
Code: Select all
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_daemon = postfix
failregex = ^.*smtpd.*\[<HOST>\].*authentication failed
ignoreregex =
[Init]
# "maxlines" is number of log lines to buffer for multi-line regex searches
maxlines = 10
#journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd
# DEV Notes:
#
# "Failed \S+ for .*? from <HOST>..." failregex uses non-greedy catch-all because
# it is coming before use of <HOST> which is not hard-anchored at the end as well,
# and later catch-all's could contain user-provided input, which need to be greedily
# matched away first.
#
# Author: Cyril Jaquier, Yaroslav Halchenko, Petr Voralek, Daniel Black
/etc/fail2ban/filter.d/postfix-rbl.local
Code: Select all
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_daemon = postfix-rbl
failregex = ^.*smtpd.*NOQUEUE: reject.*Client host \[<HOST>\] blocked using
ignoreregex = .*?:PWS3.mxtoolbox.com
[Init]
# "maxlines" is number of log lines to buffer for multi-line regex searches
maxlines = 10
#journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd
# DEV Notes:
#
# "Failed \S+ for .*? from <HOST>..." failregex uses non-greedy catch-all because
# it is coming before use of <HOST> which is not hard-anchored at the end as well,
# and later catch-all's could contain user-provided input, which need to be greedily
# matched away first.
#
# Author: Cyril Jaquier, Yaroslav Halchenko, Petr Voralek, Daniel Black
/etc/fail2ban/jail.local
Code: Select all
[postfix]
enabled = true
port = all
#logpath = %(postfix_log)s
logpath = /var/log/maillog
backend = %(postfix_backend)s
filter = postfix
findtime = 86400
bantime = 86400
action = iptables-allports-log[name=postfix]
maxretry = 2
[postfix-rbl]
enabled = true
port = all
#logpath = %(postfix_log)s
logpath = /var/log/maillog
backend = %(postfix_backend)s
filter = postfix-rbl
maxretry = 1
findtime = 86400
bantime = 86400
action = iptables-allports-log[name=postfix-rbl]
/etc/fail2ban/actions.d/iptables-allports-log.conf --EDITED--: fixed a problem with the order of commands so no more annoying log errors
Code: Select all
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified: Yaroslav O. Halchenko <debian@onerussian.com>
# made active on all ports from original iptables.conf
#
#
[INCLUDES]
before = iptables-common.conf
[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = <iptables> -N f2b-<name>
<iptables> -A f2b-<name> -j <returntype>
<iptables> -I <chain> -p <protocol> -j f2b-<name>
<iptables> -N f2b-<name>-log
<iptables> -A f2b-<name>-log -p <protocol> -j LOG --log-prefix "Firewall.f2b-<name>: " --log-level 4
<iptables> -A f2b-<name>-log -j <blocktype>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = <iptables> -D f2b-<name>-log -p <protocol> -j LOG --log-prefix "Firewall.f2b-<name>: " --log-level 4
<iptables> -D f2b-<name>-log -j <blocktype>
<iptables> -F f2b-<name>-log
<iptables> -X f2b-<name>-log
<iptables> -D f2b-<name> -p <protocol> -j f2b-<name>-log
<iptables> -F f2b-<name>
<iptables> -X f2b-<name>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = <iptables> -I f2b-<name> 1 -s <ip> -j f2b-<name>-log
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
#actionunban = <iptables> -D f2b-<name> -s <ip> -j f2b-<name>-log
actionunban = <iptables> -D f2b-<name> -j f2b-<name>-log -s <ip>
#<iptables> -D f2b-<name>-log -s <ip> -j LOG
#<iptables> -D f2b-<name>-log -s <ip> -j <blocktype>
[Init]
/etc/rsyslog.d/30-fail2ban.conf
Code: Select all
# /etc/rsyslog.d/30-fail2ban.conf
# -----------------------------------------
# log from all fail2ban service
# -----------------------------------------
#
if $programname startswith_i 'fail2ban' then /var/log/fail2ban.log
#if $msg contains 'fail2ban' then /var/log/fail2ban.log
/etc/rsyslog.d/20-firewall.conf APPENDED
Code: Select all
# /etc/rsyslog.d/20-firewall.conf
# -----------------------------------------
# log from all firewall service
# -----------------------------------------
#
if $programname startswith_i 'Firewall' then /var/log/firewall.log
if $msg contains 'Firewall' then /var/log/firewall.log
/etc/logrotate.d/syslog
Code: Select all
/var/log/unbound.log
/var/log/firewall.log
/var/log/saslauthd.log
/var/log/fail2ban.log
{
rotate 14
daily
missingok
notifempty
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
endscript
}
I also enabled the fail2ban plugin for munin so I can keep track of how much is banned at a time fairly easily.
Code: Select all
sudo ln -s /usr/share/munin/plugins/fail2ban /etc/munin/plugins
sudo muinin-node-configure
sudo service munin-node restart
Finally, I made some scripts that made it easier to search the fail2ban client for lockout or blacklisted IP addresses.
lockout-ips.sh
Code: Select all
#!/bin/sh
sudo fail2ban-client status postfix | sed -r 's/`- Banned IP list:\W*//g' | sed -e 's/^[\t\0]*//' | sed -rn '7,$s/(([0-9]{1,3}\.){3}[0-9]{1,3})/&\n/pg' | sed -rn 's/^ {1,}//pg' | sort
blacklist-ips.sh
Code: Select all
#!/bin/sh
sudo fail2ban-client status postfix-rbl | sed -r 's/`- Banned IP list:\W*//g' | sed -e 's/^[\t\0]*//' | sed -rn '7,$s/(([0-9]{1,3}\.){3}[0-9]{1,3})/&\n/pg' | sed -rn 's/^ {1,}//pg' | sort
Re: DNSBL and stuff
Posted: 03 Mar 2017 13:36
by stusmith
wilbourne wrote: ↑08 Nov 2016 12:46
To reject spam before it's filter by mailscanner or spamassasin
put this on file
/etc/postfix/main.cf :
Code: Select all
smtpd_client_restrictions =
permit_sasl_authenticated
reject_rbl_client sbl.spamhaus.org
reject_rbl_client cbl.abuseat.org
reject_rbl_client all.spam-rbl.fr
reject_rbl_client bl.spamcop.net
reject_rbl_client relays.mail-abuse.org
reject_rbl_client sbl-xbl.spamhaus.org
reject_rbl_client zen.spamhaus.org,
reject_rbl_client b.barracudacentral.org
smtpd_recipient_restrictions =
permit_sasl_authenticated
reject_unauth_destination
reject_non_fqdn_recipient
reject_unknown_sender_domain
reject_non_fqdn_sender
reject_unknown_recipient_domain
reject_invalid_helo_hostname
reject_invalid_hostname
reject_unlisted_recipient
reject_unlisted_sender
reject_non_fqdn_helo_hostname
reject_unauth_pipelining
reject_unknown_reverse_client_hostname
reject_non_fqdn_hostname
and reload postfix
/etc/init.d/postfix reload
To refuse all advertisements by simply rejecting the message from the server:
create file
/etc/postfix/header_checks
and put this :
Code: Select all
/^List-Unsubscribe: .*/ REJECT Mailing-List: the server refuses all newsletters
/^X-Unsubscribe: .*/ REJECT Mailing-List: the server refuses all newsletters
and add this line on
/etc/postfix/main.cf
Code: Select all
header_checks = regexp:/etc/postfix/header_checks
postmap /etc/postfix/header_checks
and reload postfix
I liked this idea as well, but since some of my mailing lists are legitimate, I ended up adding a SpamAssassin rule to match these headers as well as a body rule to match a URL with unsubscribe in the text and a value of 2.25 for each of them. In my environment, with my spam threshold set to 4.0, that's usually enough to let well-behaved mailing lists through and block the ones that are poorly behaved.
Re: DNSBL and stuff
Posted: 03 Mar 2017 13:38
by stusmith
SupportOU wrote: ↑04 Nov 2016 08:19
Hola,
Anyone wants to share their postfix relay restrictions? And anyone set up postscreen to complement postfix? I use abuseat.org, spamhaus and barracuda for DNSBL. Anyone has some more/better?
spamhaus needs full recursion though...
See if we can work out a good postfix defense, 1st line of defense should be the cheapest in cycles.
Grtz,
Ronald
MailSpike is pretty great. I use the ones you've listed and MailSpike and that seems to get most of it. I'm still using SpamCop, but I'm a little more ambivalent about that one.
Re: DNSBL and stuff
Posted: 24 Apr 2017 17:01
by MikkiMo
There are a lot of anti-ransomware tools like Malwarebytes Anti-ransomware, Bitdefender CryptoVacine, Kaspersky, TrendMicro but the best protection against various ransomwares is full system backup to external offline hardrive/usb!
upd: also check this site -
https://sureshotsoftware.com/guides/globeimposter-2-0/