Saturday, June 11, 2016

using fail2ban to protect postfix/smtpd service

Recently I have found a lot of "lost connection after" entries in /var/log/maillog file:
lost connection after AUTH from unknown[IP.address]
lost connection after CONNECT 
lost connection after RCPT
lost connection after STARTTLS  
lost connection after UNKNOWN

It's possibly some kind of botnet trying to deliver spam using my mail server.
It won't work but it's still nice to get rid of such clients on the firewall level.

First you need to create a rule for fail2ban - create /etc/fail2ban/filter.d/postfix-auth.conf and put the following config:
# Fail2ban postfix-auth filter
before = common.conf

_daemon = postfix/smtpd
failregex = ^%(__prefix_line)slost connection after .*\[<HOST>\]$
ignoreregex =

Next edit /etc/fail2ban/jail.conf and add postfix-auth service at the end of file:
enabled  = true
port     = smtp,ssmtp
filter   = postfix-auth
action   = iptables[name=SMTP-auth, port=smtp, protocol=tcp]
logpath  = /var/log/maillog
maxretry = 2
bantime = 36000
findtime = 300

Finally restart fail2ban service and check /var/log/messages or iptables to see if your new rule works fine:
service fail2ban restart
grep Ban /var/log/messages
iptables -nvL

/var/log/maillog logpath is for Centos/Redhat.
For other distros make sure to point out proper mail.log file.

1 comment: