On 02/08/2019 19:38, Jon LaBadie wrote:
On Fri, Aug 02, 2019 at 10:19:49AM -0400, mark wrote:
Fred Smith wrote:
On Fri, Aug 02, 2019 at 09:28:23AM -0400, mark wrote:
<MVNCH>
One thing I don't understand is how/why the firewall is DROPping so
many attempts on port 25 when it in fact has a port forward rule sending
port 25 on to my mailserver. How does it know, or why does it think that
some of them can be dropped at the outer barrier?
you, but thank you for taking a hundred thousand or so for all of us.
Hey, its the least I can do for all the good guys out there! :)
But that doesn't mean the same dratsabs aren't hitting all the rest
of you too.
I'm sure they are. Are you running fail2ban?
Several years back I switched from sendmail to postfix.
Not knowing what I was doing, I think I have it set to
say it will forward email following SASL authentication.
But as I had no intention of forwarding anything, I did
not set up any authentication methods. So anyone who
tries fails to authenticate.
With fail2ban in place I get 200-500 daily SASL "fail to
authenticate" instances. In contrast, several months ago
fail2ban either died or did not restart correctly. This
went unnoticed for about a week. During that time I got
10000-32000 daily "failed to authenticate".
Jon
I've been using fail2ban for some time, I have a number of ports open to
the Internet - SSH, SMTP, IMAPS, HTTP and HTTPS on my external subnet.
This thread made me look at how fail2ban was doing, and I noticed that
it wasn't particularly working too well for SSH, as I have turned off
password authentication, so I edited the filters a little, and found it
started filtering some more IPs. I found on my firewall that there were
something like 500 active connection states to SSH - it looked like a
scanning tool was just hanging and sending many connections, the same
thing for about three remote IPs - I put a manual block on these at the
firewall.
The firewall has a block feature, which allows me to enter URLs which
point to lists of IPs (Blocklists) and block traffic from those IPs at
the firewall.
It's designed to use these types of IP feeds: http://iplists.firehol.org/
Well, there's nothing stopping me running a cron-job on my Centos boxes
to do the following:
iptables -L -n | awk '$1=="REJECT" && $4!="0.0.0.0/0" {print $4}' >
/tmp/banned
I can then transfer the banned file to a web-server and block the bad IP
addresses completely from my network. I like this as if a system is
brute-forcing my SSH server, I can now block it from all resources on
the network, and stop the attempts even reaching the internal hosts.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
