# Postfix a way to limit the frequency of brute force?



## mecano (Sep 20, 2014)

Hello,

seeing this:

```
Sep 20 03:24:51 mail postfix/smtpd[52421]: warning: xx-xx-xx-xx-xx.xxxxxx.com[x.x.x.x]: SASL LOGIN authentication failed:
Sep 20 03:24:48 mail postfix/smtpd[52421]: warning: xx-xx-xx-xx-xx.xxxxxx.com[x.x.x.x]: SASL LOGIN authentication failed:
Sep 20 03:24:45 mail postfix/smtpd[52421]: warning: xx-xx-xx-xx-xx.xxxxxx.com[x.x.x.x]: SASL LOGIN authentication failed:
Sep 20 03:24:43 mail postfix/smtpd[52421]: warning: xx-xx-xx-xx-xx.xxxxxx.com[x.x.x.x]: SASL LOGIN authentication failed:
Sep 20 03:24:40 mail postfix/smtpd[52421]: warning: xx-xx-xx-xx-xx.xxxxxx.com[x.x.x.x]: SASL LOGIN authentication failed:
Sep 20 03:24:37 mail postfix/smtpd[51808]: warning: xx-xx-xx-xx-xx.xxxxxx.com[x.x.x.x]: SASL LOGIN authentication failed:
Sep 20 03:24:35 mail postfix/smtpd[51808]: warning: xx-xx-xx-xx-xx.xxxxxx.com[x.x.x.x]: SASL LOGIN authentication failed:
Sep 20 03:24:32 mail postfix/smtpd[51808]: warning: xx-xx-xx-xx-xx.xxxxxx.com[x.x.x.x]: SASL LOGIN authentication failed:
```
and taking in account that there is a NIDS taking care of this intruder but wanting to limit the amount of brute force attempts (from let's say 8 attempts to 3), is there a way to limit the frequency of authentication requests coming from the same IP in mail/postfix?


----------



## obsigna (Sep 21, 2014)

mecano said:
			
		

> ...
> and taking in account that there is a nids taking care of this intruder but wanting to limit the amount of brute force attempts (from let's say 8 attempts to 3), is there a way to limit the frequency of authentication requests coming from the same ip in mail/postfix?



In file /usr/local/etc/postfix/main.cf place something like the following:


```
...
# RATE THROTTLING
smtpd_client_connection_rate_limit = 20
smtpd_error_sleep_time             = 10s
smtpd_soft_error_limit             = 3
smtpd_hard_error_limit             = 5
...
```

The explanation of the settings can be found on: http://www.postfix.org/TUNING_README.html#conn_limit


----------



## mecano (Sep 21, 2014)

Oh great! Thanks obsigna!


----------



## Business_Woman (Sep 22, 2014)

You might want to consider fail2ban for this.


----------



## wblock@ (Sep 22, 2014)

In ports as security/py-fail2ban.


----------



## mecano (Sep 22, 2014)

I'm already using security/ossec-hids-server+security/ossec-hids-client, but the reaction delay worries me.
As you can see in the log extracts in the first post from 8 to 12 attempts are made within a second, add to this a distributed IPs attack...
The passwords are the most secure they can be, but still.
That's why I thought about limiting smtpd authentication rate.
Could security/py-fail2ban be more reactive? Is it possible to use it in a multiple jail setup to work with an outside pf?

obsigna,  these settings are nice but I'm trying to find one that could limit the connection rate to my domain addresses; is it possible? I can't seem to find such an option. I don't want to limit outside SMTP requests, just brute force attempts targeting my domain accounts.


----------



## obsigna (Sep 22, 2014)

mecano said:
			
		

> ...
> @obsigna these settings are nice but I'm trying to find one that could limit connection rate to my domain addresses is it possible? I can't seem to find such option. I don't want to limit outside smtp requests, just brute force attempts targeting my domain accounts.



Sorry, I forgot to add one more link: http://www.postfix.org/TUNING_README.html#slowdown

My settings example allow any single external client to make max. 20 connections per minute, i.e. 3 conns/s. After 3 faulty connection attempts (soft error limit) from the same client, the following attempts are delayed by 10 more seconds each. After 5 faulty attempts (hard error limit) by the same smtp client, Postfix simply disconnects.


----------



## mecano (Sep 26, 2014)

@obsigna been playing with these settings for few days and they fit perfectly. Thanks a lot for your help.


----------

