# Postfix - Limit Rate of Failed Logins?



## Ruler2112 (Apr 19, 2013)

I have a small mail server using Postfix 2.9.1.  Many times since bringing it online, I've had machines from random places around the world try to guess passwords, my hunch is to use my server to spam.  While I'm confident that they have not yet been able to break in, the server slows considerably for legitimate use while such an attack is happening.  The person yesterday tried logging in over 19,000 times using different names.

I do not know if what I'm thinking is possible, but it makes enough sense that I'm sure somebody's already thought of it and made something to do exactly this.  I've googled for quite a while and haven't been able to find what I'm looking for though; I'm probably just searching with the wrong terms.

My idea is to limit how many failed login attempts are allowed from a given IP address during a specified period of time.  For example, if someone tries to login with the wrong password 10 times in a 2 minutes, assume that they're trying to break in and disallow connections from that IP for 10 minutes.

Does anyone know if such an animal already exists and what it might be called?  (I don't mind searching & learning on my own - just haven't been able to find anything so far.  )


----------



## cpm@ (Apr 19, 2013)

security/py-fail2ban has a Postfix filter. Also read http://www.fail2ban.org/wiki/index.php/HOWTOs for help/support.


----------



## kpa (Apr 19, 2013)

security/sshguard can be made to parse mail logs as well. I think it does actually by default.


----------



## Ruler2112 (Apr 22, 2013)

Thanks for the tips guys.  I knew that something like this had to exist!    Going to look into the ports you mentioned and get something configured.

Thanks again - you guys here are awesome.


----------



## Nukama (Apr 23, 2013)

There is also ossec, which actively responds to alerts generated out of your logs.


----------



## plamaiziere (Apr 24, 2013)

Ruler2112 said:
			
		

> I have a small mail server using Postfix 2.9.1.  Many times since bringing it online, I've had machines from random places around the world try to guess passwords, my hunch is to use my server to spam.  While I'm confident that they have not yet been able to break in, the server slows considerably for legitimate use while such an attack is happening.  The person yesterday tried logging in over 19,000 times using different names.



I've not tried it but that looks to be a job for the Postfix anvil(8) daemon.
http://www.postfix.org/anvil.8.html


----------



## kpa (Apr 24, 2013)

IMO that's not enough. You'll also have to block the offender on IP level and that's where security/sshguard-pf is very handy.


----------

