HOWTO: Protect against postfix AUTH DoS attacks
5 March, 2021 by
HOWTO: Protect against postfix AUTH DoS attacks
Administrator
| No comments yet

 

I have tons of

Oct 19 06:30:50 mail postfix/smtpd[14043]: connect from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: lost connection after AUTH from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: disconnect from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: connect from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: lost connection after AUTH from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: disconnect from unknown[151.237.190.118]
Oct 19 06:30:51 mail postfix/smtpd[14043]: connect from unknown[151.237.190.118]
Oct 19 06:30:51 mail postfix/smtpd[14043]: lost connection after AUTH from unknown[151.237.190.118]
Oct 19 06:30:51 mail postfix/smtpd[14043]: disconnect from unknown[151.237.190.118]

in my logs. If you are on the same boat and want to block such attacks, you can use fail2ban:

1/ add following section to the end of your /etc/fail2ban/jail.local

[postfix-auth]
enabled     = true
filter      = postfix.auth
action      = iptables-multiport[name=postfix, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
#           sendmail[name=Postfix, dest=you@mail.com]
logpath     = /var/log/mail.log

2/ create new file /etc/fail2ban/filter.d/postfix.auth.conf

[Definition]
failregex = lost connection after AUTH from (.*)\[<HOST>\]
ignoreregex =

3/ Restart fail2ban. Attacker will be blocked after five attempts.

 

Sign in to leave a comment