Hallo,
ist es möglich, postscreen so zu konfigurieren, dass es vor einem Disconnect die Verbindung noch eine Weile bestehen lässt, um den Angreifer eine Weile zu beschäftigen?
Hintergrund: ich sehe gerade in meinem Log folgende Versuche Spam abzuladen:
Mar 6 12:20:23 s3 postfix/postscreen[13898]: CONNECT from [109.160.96.102]:62525 to [78.47.47.89]:25
Mar 6 12:20:23 s3 postfix/postscreen[13898]: PREGREET 14 after 0.04 from [109.160.96.102]:62525: EHLO ylmf-pc\r\n
Mar 6 12:20:24 s3 postfix/dnsblog[13900]: addr 109.160.96.102 listed by domain zen.spamhaus.org as 127.0.0.4
Mar 6 12:20:24 s3 postfix/postscreen[13898]: DNSBL rank 2 for [109.160.96.102]:62525
Mar 6 12:20:24 s3 postfix/postscreen[13898]: HANGUP after 0.08 from [109.160.96.102]:62525 in tests after SMTP handshake
Mar 6 12:20:24 s3 postfix/postscreen[13898]: DISCONNECT [109.160.96.102]:62525
Mar 6 12:20:24 s3 postfix/postscreen[13898]: CONNECT from [109.160.96.102]:62604 to [78.47.47.89]:25
Mar 6 12:20:24 s3 postfix/dnsblog[13901]: addr 109.160.96.102 listed by domain zen.spamhaus.org as 127.0.0.4
Mar 6 12:20:24 s3 postfix/postscreen[13898]: PREGREET 14 after 0.04 from [109.160.96.102]:62604: EHLO ylmf-pc\r\n
Mar 6 12:20:24 s3 postfix/postscreen[13898]: DNSBL rank 2 for [109.160.96.102]:62604
Mar 6 12:20:24 s3 postfix/postscreen[13898]: HANGUP after 0.08 from [109.160.96.102]:62604 in tests after SMTP handshake
Mar 6 12:20:24 s3 postfix/postscreen[13898]: DISCONNECT [109.160.96.102]:62604
Mar 6 12:20:25 s3 postfix/postscreen[13898]: CONNECT from [109.160.96.102]:62618 to [78.47.47.89]:25
Mar 6 12:20:25 s3 postfix/dnsblog[13900]: addr 109.160.96.102 listed by domain zen.spamhaus.org as 127.0.0.4
Mar 6 12:20:25 s3 postfix/postscreen[13898]: PREGREET 14 after 0.04 from [109.160.96.102]:62618: EHLO ylmf-pc\r\n
Mar 6 12:20:25 s3 postfix/postscreen[13898]: DNSBL rank 2 for [109.160.96.102]:62618
Mar 6 12:20:25 s3 postfix/postscreen[13898]: HANGUP after 0.08 from [109.160.96.102]:62618 in tests after SMTP handshake
Mar 6 12:20:25 s3 postfix/postscreen[13898]: DISCONNECT [109.160.96.102]:62618
Mar 6 12:20:25 s3 postfix/postscreen[13898]: CONNECT from [109.160.96.102]:62631 to [78.47.47.89]:25
Mar 6 12:20:25 s3 postfix/dnsblog[13900]: addr 109.160.96.102 listed by domain zen.spamhaus.org as 127.0.0.4
Mar 6 12:20:25 s3 postfix/postscreen[13898]: PREGREET 14 after 0.04 from [109.160.96.102]:62631: EHLO ylmf-pc\r\n
Mar 6 12:20:25 s3 postfix/postscreen[13898]: DNSBL rank 2 for [109.160.96.102]:62631
Mar 6 12:20:25 s3 postfix/postscreen[13898]: HANGUP after 0.08 from [109.160.96.102]:62631 in tests after SMTP handshake
Mar 6 12:20:25 s3 postfix/postscreen[13898]: DISCONNECT [109.160.96.102]:62631
Mar 6 12:20:25 s3 postfix/postscreen[13898]: CONNECT from [109.160.96.102]:62642 to [78.47.47.89]:25
Mar 6 12:20:25 s3 postfix/dnsblog[13899]: addr 109.160.96.102 listed by domain zen.spamhaus.org as 127.0.0.4
Mar 6 12:20:25 s3 postfix/postscreen[13898]: PREGREET 14 after 0.04 from [109.160.96.102]:62642: EHLO ylmf-pc\r\n
Mar 6 12:20:25 s3 postfix/postscreen[13898]: DNSBL rank 2 for [109.160.96.102]:62642
Mar 6 12:20:25 s3 postfix/postscreen[13898]: HANGUP after 0.08 from [109.160.96.102]:62642 in tests after SMTP handshake
Mar 6 12:20:25 s3 postfix/postscreen[13898]: DISCONNECT [109.160.96.102]:62642
Mar 6 12:20:25 s3 postfix/postscreen[13898]: CONNECT from [109.160.96.102]:62649 to [78.47.47.89]:25
Mar 6 12:20:25 s3 postfix/dnsblog[13899]: addr 109.160.96.102 listed by domain zen.spamhaus.org as 127.0.0.4
Mar 6 12:20:25 s3 postfix/postscreen[13898]: PREGREET 14 after 0.04 from [109.160.96.102]:62649: EHLO ylmf-pc\r\n
Mar 6 12:20:25 s3 postfix/postscreen[13898]: DNSBL rank 2 for [109.160.96.102]:62649
Mar 6 12:20:25 s3 postfix/postscreen[13898]: HANGUP after 0.08 from [109.160.96.102]:62649 in tests after SMTP handshake
Mar 6 12:20:25 s3 postfix/postscreen[13898]: DISCONNECT [109.160.96.102]:62649
Mar 6 12:20:25 s3 postfix/postscreen[13898]: CONNECT from [109.160.96.102]:62665 to [78.47.47.89]:25
Mar 6 12:20:25 s3 postfix/dnsblog[13899]: addr 109.160.96.102 listed by domain zen.spamhaus.org as 127.0.0.4
Mar 6 12:20:25 s3 postfix/postscreen[13898]: PREGREET 14 after 0.04 from [109.160.96.102]:62665: EHLO ylmf-pc\r\n
Mar 6 12:20:25 s3 postfix/postscreen[13898]: DNSBL rank 2 for [109.160.96.102]:62665
Mar 6 12:20:25 s3 postfix/postscreen[13898]: HANGUP after 0.08 from [109.160.96.102]:62665 in tests after SMTP handshake
Mar 6 12:20:25 s3 postfix/postscreen[13898]: DISCONNECT [109.160.96.102]:62665
Mar 6 12:20:25 s3 postfix/postscreen[13898]: CONNECT from [109.160.96.102]:62680 to [78.47.47.89]:25
Mar 6 12:20:25 s3 postfix/dnsblog[13899]: addr 109.160.96.102 listed by domain zen.spamhaus.org as 127.0.0.4
Mar 6 12:20:25 s3 postfix/postscreen[13898]: PREGREET 14 after 0.04 from [109.160.96.102]:62680: EHLO ylmf-pc\r\n
Mar 6 12:20:25 s3 postfix/postscreen[13898]: DNSBL rank 2 for [109.160.96.102]:62680
Mar 6 12:20:25 s3 postfix/postscreen[13898]: HANGUP after 0.08 from [109.160.96.102]:62680 in tests after SMTP handshake
Mar 6 12:20:25 s3 postfix/postscreen[13898]: DISCONNECT [109.160.96.102]:62680
Mar 6 12:20:25 s3 postfix/postscreen[13898]: CONNECT from [109.160.96.102]:62692 to [78.47.47.89]:25
Mar 6 12:20:25 s3 postfix/dnsblog[13899]: addr 109.160.96.102 listed by domain zen.spamhaus.org as 127.0.0.4
Mar 6 12:20:25 s3 postfix/postscreen[13898]: PREGREET 14 after 0.04 from [109.160.96.102]:62692: EHLO ylmf-pc\r\n
Mar 6 12:20:25 s3 postfix/postscreen[13898]: DNSBL rank 2 for [109.160.96.102]:62692
Mar 6 12:20:26 s3 postfix/postscreen[13898]: HANGUP after 0.08 from [109.160.96.102]:62692 in tests after SMTP handshake
Mar 6 12:20:26 s3 postfix/postscreen[13898]: DISCONNECT [109.160.96.102]:62692
Bevor mein fail2ban die Chance hatte die IP zu blocken, hat der Spammer schon etliche Wiederholungsversuche gemacht. Das möchte ich ein bisschen hinauszögern. Kein Spammer soll mehr als 3 Versuche bekommen. ;-)
Gruss Jochen
* J. Fahrner jf@fahrner.name:
Hallo,
ist es möglich, postscreen so zu konfigurieren, dass es vor einem Disconnect die Verbindung noch eine Weile bestehen lässt, um den Angreifer eine Weile zu beschäftigen?
Nein. Das ist auch explizit kein Designziel gewesen.
Du kannst - wenn Du willst - einen TCP-Service hinhängen und den trödeln lassen. Und kurz vor dem timeout sagt der dann "Nö".
p@rick
Am 06.03.2016 um 21:37 schrieb J. Fahrner:
Mar 6 12:20:23 s3 postfix/postscreen[13898]: PREGREET 14 after 0.04 from [109.160.96.102]:62525: EHLO ylmf-pc\r\n
ich habe das anders geloest https://sys4.de/de/blog/2015/11/07/abwehr-des-botnets-pushdo-cutwail-ehlo-yl...
Best Regards MfG Robert Schetterer
Am 07.03.2016 um 06:57 schrieb Robert Schetterer:
Am 06.03.2016 um 21:37 schrieb J. Fahrner:
Mar 6 12:20:23 s3 postfix/postscreen[13898]: PREGREET 14 after 0.04 from [109.160.96.102]:62525: EHLO ylmf-pc\r\n
ich habe das anders geloest https://sys4.de/de/blog/2015/11/07/abwehr-des-botnets-pushdo-cutwail-ehlo-yl...
Interessanter Ansatz. Werde ich mal ausprobieren.
participants (4)
-
J. Fahrner -
Jochen Fahrner
-
Patrick Ben Koetter -
Robert Schetterer