Protect Postfix From Attack |
Server Training - Mail Server | |
Protection From AttackPostfix has a setting that will protect the system from attack. An attack could either be a client system that is mis configured or it could be a malicious attack that was attempting to issue commands to compromise the server. Either way, system resources are wasted unless another option is available. In fact, Postfix has three settings that will begin a process of increasing delays in responding to these types of attacks. smtpd_error_sleep_time = 2s smtpd_soft_error_limit = 10 smtpd_hard_error_limit = 20The first line is the sleep or delay time. After the system senses 10 attacks from the same source the 11th attack is delayed 12 seconds, the 12th attack is delayed 14 seconds, etc. Once it reaches the hard limit the misbehaving client is disconnected. In the example, the soft limit is 10 and the hard limit is 20. These settings can all be changed to reflect your needs. This practice will help you set up the soft and hard limits for attack parameters. Edit your main.cf file and place the following settings in it, at the end of the file. Configure your hard limit at 25, your soft limit at 15 and use a 1 second delay. Once this is complete, contact your instructor so it may be reviewed on your practice server. 8 Week Course for $499.95 ORDER NOW
Filtering Header and Body Content Postfix provides an option to create Spam filters for incoming mail using regular expressions. This mail is filtered before it is accepted by the mail server so it will not use mail server resources as much. These two lines must be entered into the main.cf file in order for filters to work. You do not need to use both filter types you may choose only to filter headers or the body. header_checks = regexp:/etc/postfix/header_checks body_checks = regexp:/etc/postfix/body_checks Note that both of these filters refer to a file that is located in the /etc/postfix directory. These files will need to be created. These files will then contain the regular expressions that will be used as filter rules. Reducing Spam and Attack by Limiting IP Addresses SysAdmin (Nov. 2005, Vol.14,Num 11, p.16 “Geo-Ip Blocking with IP Tables: Some Common Sense Firewall Rules”) The basis behind the thought here is that these IP Address Ranges probably do not need access to your network in any way, unless you are an International business. By blocking these country ranges you may be reducing SPAM and Malware by up to 25%. In addition, in the event of a catastrophic virus outbreak you may create a window of time to secure your server by blocking these IP Ranges. The following website keeps track of network subnets that are related to each country. http://ip.ludost.net APNIC Asian countries. 58.0.0.0/8 61.0.0.0/8 124.0.0.0/8 126.0.00/8 168.208.0.0/16 196.192.0.0/16 202.0.0.0/8 210.0.0.0/8 218.0.0.0/8 220.0.0.0/8 222.0.0.0/8 RIPE Europe 80.0.0.0/8 81.0.0.0/8 82.0.0.0/8 83.0.0.0/8 84.0.0.0/8 85.0.0.0/8 86.0.0.0/8 87.0.0.0/8 88.0.0.0/8 89.0.0.0/8 90.0.0.0/8 91.0.0.0/8 193.0.0.0/8 194.0.0.0/8 195.0.0.0/8 212.0.0.0/8 213.0.0.0/8 217.0.0.0/8 AFRINIC Africa 41.0.0.08 LACNIC Brazil and Argentina 189.0.0.0/8 190.0.0.0/8 200.0.0.0/8 201.0.0.0/8 Implementing these restrictions will require you to add statements to your iptables in order to specifically drop subnets. From the command line you will need to add a line to indicate the subnet source that you want to drop on the INPUT table. Here is an example that drops the subnet at 201.0.0.0/8. iptables -A INPUT -s 201.0.0.0/8 -j DROP As an alternative you may want to only limit access to countries via port 80. This line will drop all attempts from the subnet at 201.0.0.0/8 in reaching any port except port 80. iptables -A INPUT -s 201.0.0.0/8 -p tcp -dport ! 80 -j DROP |