IP Filtering from hackers

[Emmanuel BILLOT]

Hi,

We have SMTPS server with SASL auth fro posting messages from external networks (internal xtoo). Since weeks we found a lot (very big) amount of

SASL LOGIN authentication failed: authentication failure

in our logs.

Client IPs are foreigns and not real client.

1 - is it a brut force attack ? Or a DDOS ?
2 - what postfix directive should we use to stop it ?

We have listed all IPs. We can use a FW rule, but its heavy and hard to manage. A Postfix list may be easier.

Sincerly,

[Johann Beretta]

Most likely it's a brute-force attack. But also, equally likely, is
that it's not you being targeted. Some call them a drive-by attack.
Bots just scan the internet and when they come across a server, they try
commonly used credentials (username/passwords). They may even try a list
of known / stolen credentials. But it's almost certainly an automated
scan. Statistically speaking.

You'd be far better off, in my opinion, with blocking them at the
firewall. If these source ips are bad actors (people or bots) you
should completely block them. Why block them in postfix only? That
leaves them (or it) open to try attacking other services on your machine(s).

If a robber comes to my house, I'm not gonna lock the door but allow him
to wander around the rest of the property.

[jopoy]

Hi Emmanuel,

Mine is a simpler approach. I just use fail2ban [1] to catch offending IPs so I don't have to manage a list manually.

Cheers!
Jopoy

[1] https://www.fail2ban.org/wiki/index.php/Main_Page