Postfix a way to limit the frequency of brute force?

mecano · Sep 20, 2014

Hello,

seeing this:

Code:

Sep 20 03:24:51 mail postfix/smtpd[52421]: warning: xx-xx-xx-xx-xx.xxxxxx.com[x.x.x.x]: SASL LOGIN authentication failed:
Sep 20 03:24:48 mail postfix/smtpd[52421]: warning: xx-xx-xx-xx-xx.xxxxxx.com[x.x.x.x]: SASL LOGIN authentication failed:
Sep 20 03:24:45 mail postfix/smtpd[52421]: warning: xx-xx-xx-xx-xx.xxxxxx.com[x.x.x.x]: SASL LOGIN authentication failed:
Sep 20 03:24:43 mail postfix/smtpd[52421]: warning: xx-xx-xx-xx-xx.xxxxxx.com[x.x.x.x]: SASL LOGIN authentication failed:
Sep 20 03:24:40 mail postfix/smtpd[52421]: warning: xx-xx-xx-xx-xx.xxxxxx.com[x.x.x.x]: SASL LOGIN authentication failed:
Sep 20 03:24:37 mail postfix/smtpd[51808]: warning: xx-xx-xx-xx-xx.xxxxxx.com[x.x.x.x]: SASL LOGIN authentication failed:
Sep 20 03:24:35 mail postfix/smtpd[51808]: warning: xx-xx-xx-xx-xx.xxxxxx.com[x.x.x.x]: SASL LOGIN authentication failed:
Sep 20 03:24:32 mail postfix/smtpd[51808]: warning: xx-xx-xx-xx-xx.xxxxxx.com[x.x.x.x]: SASL LOGIN authentication failed:

and taking in account that there is a NIDS taking care of this intruder but wanting to limit the amount of brute force attempts (from let's say 8 attempts to 3), is there a way to limit the frequency of authentication requests coming from the same IP in mail/postfix?

obsigna · Sep 21, 2014

mecano said:
...
and taking in account that there is a nids taking care of this intruder but wanting to limit the amount of brute force attempts (from let's say 8 attempts to 3), is there a way to limit the frequency of authentication requests coming from the same ip in mail/postfix?

In file /usr/local/etc/postfix/main.cf place something like the following:

Code:

...
# RATE THROTTLING
smtpd_client_connection_rate_limit = 20
smtpd_error_sleep_time             = 10s
smtpd_soft_error_limit             = 3
smtpd_hard_error_limit             = 5
...

The explanation of the settings can be found on: http://www.postfix.org/TUNING_README.html#conn_limit

mecano · Sep 21, 2014

Oh great! Thanks obsigna!

Business_Woman · Sep 22, 2014

You might want to consider fail2ban for this.

wblock@ · Sep 22, 2014

In ports as security/py-fail2ban.

mecano · Sep 22, 2014

I'm already using security/ossec-hids-server+security/ossec-hids-client, but the reaction delay worries me.
As you can see in the log extracts in the first post from 8 to 12 attempts are made within a second, add to this a distributed IPs attack...
The passwords are the most secure they can be, but still.
That's why I thought about limiting smtpd authentication rate.
Could security/py-fail2ban be more reactive? Is it possible to use it in a multiple jail setup to work with an outside pf?

obsigna, these settings are nice but I'm trying to find one that could limit the connection rate to my domain addresses; is it possible? I can't seem to find such an option. I don't want to limit outside SMTP requests, just brute force attempts targeting my domain accounts.

obsigna · Sep 22, 2014

mecano said:
...
@obsigna these settings are nice but I'm trying to find one that could limit connection rate to my domain addresses is it possible? I can't seem to find such option. I don't want to limit outside smtp requests, just brute force attempts targeting my domain accounts.

Sorry, I forgot to add one more link: http://www.postfix.org/TUNING_README.html#slowdown

My settings example allow any single external client to make max. 20 connections per minute, i.e. 3 conns/s. After 3 faulty connection attempts (soft error limit) from the same client, the following attempts are delayed by 10 more seconds each. After 5 faulty attempts (hard error limit) by the same smtp client, Postfix simply disconnects.

mecano · Sep 26, 2014

@obsigna been playing with these settings for few days and they fit perfectly. Thanks a lot for your help.

Postfix a way to limit the frequency of brute force?

mecano

obsigna

Profile disabled

mecano

Business_Woman

wblock@

mecano

obsigna

Profile disabled

mecano