FreeBSD Mail Archives

Date:      Mon, 25 Jul 2016 14:53:18 -0500
From:      Karl Denninger <karl@denninger.net>
To:        freebsd-stable@freebsd.org
Subject:   Re: Postfix and tcpwrappers?
Message-ID:  <b2e7610f-5972-a330-4288-807ea936ff48@denninger.net>
In-Reply-To: <1308b751-450d-4c73-6a49-746d53031b11@digiware.nl>
References:  <a3ad16f6-3bae-68dd-d4c7-9ed7cd223aa5@denninger.net> <op.yk51o9vtkndu52@ronaldradial.radialsg.local> <c5fc2cb8-faa6-ffe5-887a-dc07b242f694@denninger.net> <1308b751-450d-4c73-6a49-746d53031b11@digiware.nl>


[-- Attachment #1 --]
On 7/25/2016 14:48, Willem Jan Withagen wrote:
> On 25-7-2016 19:32, Karl Denninger wrote:
>> On 7/25/2016 12:04, Ronald Klop wrote:
>>> On Mon, 25 Jul 2016 18:48:25 +0200, Karl Denninger
>>> <karl@denninger.net> wrote:
>>>
>>>> This may not belong in "stable", but since Postfix is one of the
>>>> high-performance alternatives to sendmail....
>>>>
>>>> Question is this -- I have sshguard protecting connections inbound, but
>>>> Postfix appears to be ignoring it, which implies that it is not paying
>>>> attention to the hosts.allow file (and the wrapper that enables it.)
>>>>
>>>> Recently a large body of clowncars have been targeting my sasl-enabled
>>>> https gateway (which I use for client machines and thus do in fact need)
>>>> and while sshguard picks up the attacks and tries to ban them, postfix
>>>> is ignoring the entries it makes which implies it is not linked with the
>>>> tcp wrappers.
>>>>
>>>> A quick look at the config for postfix doesn't disclose an obvious
>>>> configuration solution....did I miss it?
>>>>
>>> Don't know if postfix can handle tcp wrappers, but I use bruteblock
>>> [1] for protecting connections via the ipfw firewall. I use this for
>>> ssh and postfix.
> Given the fact that both tcpwrappers and postfix originate from the same
> author (Wietse Venenma) I'd be very surprised it you could not do this.
> http://www.postfix.org/linuxsecurity-200407.html
>
> But grepping the binary for libwrap it does seems to be the case.
> Note that you can also educate sshguard to actually use a script to do
> whatever you want it to do. I'm using it to add rules to an ipfw table
> that is used in a deny-rule.
>
> Reloading the fw keeps the deny-rules, flushing the table deletes all
> blocked hosts without reloading the firewall.
> Both times a bonus.
>
> --WjW
> --WjW
That's why I was surprised too... .but it is what it is.

I just rebuilt sshguard to use an ipfw table instead of hosts.allow,
since I use ipfw anyway for firewall/routing/ipsec/etc adding one line
up near the top of my ruleset to match against the table and send back a
reset (I'm considering black-holing attempts instead as that will slow
the clowncar brigade down and thus "helps" others) and resolved the issue.

It's interesting that all of a sudden the clowncar folks figured out
that if they hit my email server with SSL they could then attempt an
auth.  I have always had auth turned off for non-SSL connections for
obvious reasons (passing passwords around plain is bad news, yanno) and
until recently the clowns hadn't bothered with the overhead of setting
up SSL connections.

That appears to now have changed, so....

-- 
Karl Denninger
karl@denninger.net <mailto:karl@denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/

[-- Attachment #2 --]
0�	*�H��
��0�10
	`�He0�	*�H��
��_0�[0�C�)0
	*�H��
0��10	UUS10UFlorida10U	Niceville10U
Cuda Systems LLC10UCuda Systems LLC CA1"0 	*�H��
	Cuda Systems LLC CA0
150421022159Z
200419022159Z0Z10	UUS10UFlorida10U
Cuda Systems LLC10UKarl Denninger (OCSP)0�"0
	*�H��
�0�
���X�@v�kY�
�T��q/v�E�]��5#�֯�MX����\8��L�J/V?�5���Da�+
��sJ��c�*��/�r�{ȼ�n��S�+�w"�)���ąZ^�Dt��dC�OZ�� ~7��Q ��'��@���a#i�j�c۴oZdB&���!�Ӝ���-�<	�?��H���N���5���y
5�}F�|ef゘��"V��لi��o��7��4���zn�">����a����1q�Wuɖ�b�F��e�GE�&�3(��K�h����ix�G�3���!��#�e_X�Ƭ����Ϝ/,��$�+�;�4y��'�B�z<qT�9����_?rRU�pn�5
��Jn&R��x/�p J�yel�*�pN�8�/#�9�u����/��YP�E��C)T����Y>��~/˘N[������v��yi���DKˉ�,�^�"� ?�$��T8����v�&�����K�%z��8�C @?�K{�9�f`��+���@,|����M��bia���0��07++0)0'+0�http://cudasystems.net:88880	U00	`�H��B�0U�0,	`�H��B
OpenSSL Generated Certificate0U��-��h\F����f ��Y0U#0�$q���}��ݽ�ʒ����m50U0�karl@denninger.net0
	*�H��
�Ow�b��a�bɺx�&��Uk�[��(O�j��!����%�p��MQ�0I�!#�Q��H��}.>~2���&D}�<�wm_>�V6�v��]�f��>=�N�n�+8;q �wfΰ����/��R�LyU��G#�b�}n�!D����ր_��up�|��_�ǰ��c��/�%ۥ���
�nN8:�d��;�-�UJ��d/�m��1~Vނי���nN I˾$t�F1&}�|?q?�\đ�X��ԑ�&\�4V�<lK������ۮ3%Am_����(��q����-(c����Ae�G�X)f}�-˥6c��v~��K�g�8m~v��;|�9�:-i�A����P��қ�6�ېn�-���.)�<[�$KJ�t�����t/L4�ᖣ�^Cm�u4v�b{+�B�G�$M���0c�\��[M�R�|�0FԸ�����P&7����8�"4p������#���}��DZ�9;V�9�#>�S�w"��[�UP7�1�0�0��0��10	UUS10UFlorida10U	Niceville10U
Cuda Systems LLC10UCuda Systems LLC CA1"0 	*�H��
	Cuda Systems LLC CA)0
	`�He��M0	*�H��
	1	*�H��
0	*�H��
	1
160725195318Z0O	*�H��
	1B@?v0Ll���8)�Xfh�_.���ePYO)W�Y�����RQ#�c�q,u�i+!2�C�g�?�0l	*�H��
	1_0]0	`�He*0	`�He0
*�H��
0*�H��
�0
*�H��
@0+0
*�H��
(0��	+�71��0��0��10	UUS10UFlorida10U	Niceville10U
Cuda Systems LLC10UCuda Systems LLC CA1"0 	*�H��
	Cuda Systems LLC CA)0��*�H��
	1�����0��10	UUS10UFlorida10U	Niceville10U
Cuda Systems LLC10UCuda Systems LLC CA1"0 	*�H��
	Cuda Systems LLC CA)0
	*�H��
�8�k
�[
�E��Y)�V�ٞ�7U�,Ӵ�m~�fW3<8�Riqڭ-���J�
������P��/��H#���yw�� (w�pq�1CF����[*B�ә�FIL��K�7�`�-s�,8���.x�lP�8�~���1�u��aP���D�Һ��':�;W4H��)uf�ˡ�Q�VT�ˋ]/����o�p��\
�'+��L%y�-���Y=*���nc�����⨦���]/]F�g%�D%&e��H�U���N-�3�#��h����$�md��X��F麄�>�+D+�Cޮ���@��a�$b���e�8��Z��������!n����ұ�[�:�[�u��!�o�0F���RK�euy��׋ީ�
$Or���v�sGK�]�*�[%����˧̸E���ʝ�v1�ш\2D�9������ EYĺ�ႃ��?�9��18�k�����H(�d���a�'I�@��N��rr2����a�5��-Z�Ti��EV
�8`��,��P�

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b2e7610f-5972-a330-4288-807ea936ff48>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation