# Postfix server attacks and growing logs



## Deleted member 9563 (Apr 3, 2015)

I recently set up a postfix server (this thread) on a small VPS. It works well, but I'm not sure about what I'm seeing in the logs and if I should do anything about it.

I noticed after a day that there were lots of attempts at entry. That's obviously normal. Now, a couple of weeks later, I'm seeing non-stop attacks from multiple IPs. The auth.log is showing several per second at this point (mostly root login attempts), and this file is growing very fast. The mail.log file is recently also getting entries (SSL_accept error), and related entries) at the rate of several per minute. None of these are successful, and in my amateur opinion unlikely to be. It's still scary though!

Questions:
- Is there something I should, or could, be doing to mitigate this?
- Is `logrotate` the best way to deal with the log growth in this case?

More info:
I think my security is fine. This is a tunnel from my computer to the server, and it's only my mail going to it, so it's easy to see if there's anything illegitimate being sent. The VPS is running Debian (no FreeBSD available), but I doubt `ssh` and `postfix` are materially different.

PS: I'm not a member of a suitably specialized forum and couldn't find a good one now, so I'm posting this here on FreeBSD Forums since there's probably a lot of server admins here anyway.


----------



## SirDice (Apr 3, 2015)

I highly recommend installing something like security/py-fail2ban to thwart those brute-force attempts. Even if you set proper passwords on everything there's still a risk they might some day guess the correct one. And the more they can try, the bigger the risk gets.


----------



## Deleted member 9563 (Apr 3, 2015)

Thanks SirDice. I didn't know there was such an easy way to ban spamming IPs. That would probably do the trick. I just installed it (yes it's in Debian as well), but won't look at it until tomorrow since it's 3:30 a.m. here. I wonder if these attackers wouldn't just keep switching IP until I've got a list of the whole internet. lol


----------



## Deleted member 9563 (Apr 4, 2015)

I installed `logrotate` and after a long web search finally found out how to apply it to postfix logs. It's in /etc/logrotate.d/rsyslog if anybody is wondering. That solved the log size problem, though I still have no idea what kind of bombardment is normal for a new and insignificant server. Is one or two attempts per second normal or is it not?

So, I went on to install `fail2ban` and promptly locked myself out of the server. LOL! I wasn't ignorant of the possiblility, but just a little sloppy and made a small mistake. Luckily I found a web based console for the VPS. With that fixed, (phew!) it looks like `fail2ban` (that's security/py-fail2ban on FreeBSD) is just the ticket. Thanks again SirDice.

Now I just need to learn a little more about how to best tweak /etc/fail2ban/jail.conf. What I can't figure out is how to define my own IP. I've got a static IP from my ISP which I can use in a pinch, but this computer runs through a VPN so it's not easy pin it down.


----------



## cbrace (Apr 5, 2015)

Have you configured public/private SSH keys to able to login without your password?  I would assume so. Then disable passwords in your /etc/ssh/sshd_config file:

```
PasswordAuthentication no
```
That way you don't have to worry about brute-force attempts.


----------



## Deleted member 9563 (Apr 6, 2015)

cbrace said:


> Have you configured public/private SSH keys to able to login without your password?  I would assume so. Then disable passwords in your /etc/ssh/sshd_config file:
> 
> ```
> PasswordAuthentication no
> ...



You got me thinking about that. It's probably a good idea, but I'm a little worried that I'm getting this more complicated than is prudent, considering my current grip on the situation. I haven't yet tried to understand how to generate key pairs and am already running this through a SSH tunnel. My feeling is that I should wait a little until my understanding catches up before I add another layer. It does seem like the best way, so I'll look into it later.

Since I configured `fail2ban` and tweaked the /etc/ssh/sshd_config file, things have calmed down. The login attempts have gone from over 60 per minute, to around 30 per hour. Since they consist of only a few attempts at user login (with wildly wrong user names), and mostly root (no root login allowed) attempts, I don't think it's possible for any brute force attempt to be successful. I'm happy with this situation.

That said, playing with a postfix server on the wild net has been a great learning experience, and I plan to continue playing with this just for the education. I'm too old to work, but I still like to have a bit of a grip on what's happening in the real world.


----------

