Posts Tagged postfix security

Blocking Country Attacks

Posted by Filed Under Security with 3 Comments

I recently checked mail stats on a server and discovered that 71% of the mail that the server handled was rejected. That means the server lost 71% of it’s total resources to connections that were either malicious in nature or intended to solicit resources from individuals.  As a result I have gone into a campaign to begin dropping all subnets that I really do not need to allow connections from.

Selecting Countries to Drop
The criteria that I developed may not work for you so keep that in mind.  However, I am giving you some idea on my reasoning to help in your decision making.

1. Countries that are frequent attackers
One of the things I have done is watch logs so that I can drop those who are constantly stealing my resources.

2. Countries I cannot read the mail
I have limited language skills.  If I cannot speak Chinese why allow Chinese mail to arrive at my mail server?

3. Countries I do not do business with
There are a lot of countries that I do not do business with.  Some countries like Indonesia have been constant sources of fraud, I have never had a legitimate order from Indonesia.

It is important to recognize that many of these subnets overlap and are used by other countries so you will need to be careful and do your own research.

USE THIS ONLY AS AN EXAMPLE…VERIFY YOUR CHOICES.

#####################################################
# BLOCK COUNTRY ATTACKS
#####################################################
# Asia
iptables -A INPUT -s 220.0.0.0/8 -j DROP
iptables -A INPUT -s 58.0.0.0/8 -j DROP
iptables -A INPUT -s 61.0.0.0/8 -j DROP
iptables -A INPUT -s 218.0.0.0/8 -j DROP
iptables -A INPUT -s 124.0.0.0/8 -j DROP
iptables -A INPUT -s 126.0.0.0/8 -j DROP
iptables -A INPUT -s 168.208.0/16 -j DROP
iptables -A INPUT -s 196.192.0/16 -j DROP
iptables -A INPUT -s 202.0.0.0/8 -j DROP
iptables -A INPUT -s 210.0.0.0/8 -j DROP
iptables -A INPUT -s 218.0.0.0/8 -j DROP
iptables -A INPUT -s 222.0.0.0/8 -j DROP
# Africa
iptables -A INPUT -s 41.0.0.0/8 -j DROP
# Brazil and Argentina
iptables -A INPUT -s 189.0.0.0/8 -j DROP
iptables -A INPUT -s 190.0.0.0/8 -j DROP
iptables -A INPUT -s 200.0.0.0/8 -j DROP
iptables -A INPUT -s 201.0.0.0/8 -j DROP
# China
iptables -A INPUT -s 62.0.0.0/8 -j DROP
iptables -A INPUT -s 77.0.0.0/8 -j DROP
iptables -A INPUT -s 78.0.0.0/8 -j DROP
iptables -A INPUT -s 79.0.0.0/8 -j DROP
iptables -A INPUT -s 130.0.0.0/8 -j DROP
iptables -A INPUT -s 131.0.0.0/8 -j DROP

iptables -A INPUT -s 137.0.0.0/8 -j DROP
iptables -A INPUT -s 146.0.0.0/8 -j DROP
iptables -A INPUT -s 147.0.0.0/8 -j DROP
iptables -A INPUT -s 150.0.0.0/8 -j DROP
# Indonesia
iptables -A INPUT -s 58.0.0.0/8 -j DROP
iptables -A INPUT -s 60.0.0.0/8 -j DROP
iptables -A INPUT -s 113.0.0.0/8 -j DROP
iptables -A INPUT -s 114.0.0.0/8 -j DROP
iptables -A INPUT -s 116.0.0.0/8 -j DROP
iptables -A INPUT -s 117.0.0.0/8 -j DROP
iptables -A INPUT -s 118.0.0.0/8 -j DROP
iptables -A INPUT -s 119.0.0.0/8 -j DROP
iptables -A INPUT -s 120.0.0.0/8 -j DROP
iptables -A INPUT -s 121.0.0.0/8 -j DROP
iptables -A INPUT -s 122.0.0.0/8 -j DROP
iptables -A INPUT -s 123.0.0.0/8 -j DROP

AppArmor Templates for Postfix

Posted by Filed Under Security with Comments Off

Using Pre-Built Templates
Add the pre-built templates for Postfix.

sudo apt-get install apparmor-profiles

This will load many pre-built templates that you can use.

cd /usr/share/doc/apparmor-profiles/extras

Now copy all of the Postfix related profiles into /etc/apparmor.d/.

sudo cp usr.sbin.post* /etc/apparmor.d/
sudo cp usr.lib.post* /etc/apparmor.d/

Restart your the AppArmor daemon.

sudo /etc/init.d/apparmor restart

Now check the number of active profiles.

sudo aa-status

32 profiles are in enforce mode.
/usr/lib/postfix/spawn
/usr/lib/postfix/tlsmgr
/usr/sbin/saslauthd
/usr/lib/postfix/pipe
/usr/lib/postfix/proxymap
/usr/lib/postfix/bounce
/usr/sbin/postalias
/usr/lib/postfix/pickup
/usr/lib/postfix/qmqpd
/usr/lib/postfix/showq
/usr/sbin/avahi-daemon
/usr/lib/postfix/local
/usr/lib/postfix/nqmgr
/usr/sbin/postdrop
/usr/lib/postfix/scache
/usr/lib/postfix/virtual
/usr/lib/postfix/lmtp
/usr/lib/postfix/discard
/usr/lib/postfix/error
/usr/lib/postfix/smtpd
/usr/lib/postfix/smtp
/usr/lib/postfix/cleanup
/usr/sbin/postfix
/usr/sbin/postmap
/usr/sbin/postqueue
/usr/lib/postfix/anvil
/usr/lib/postfix/qmgr
/usr/lib/postfix/master
/usr/lib/postfix/verify
/usr/lib/postfix/flush
/usr/lib/postfix/trivial-rewrite
/usr/lib/postfix/oqmgr

You may not need all of these profiles depending upon what you are running, so remove those you do not need.  You can change these to complain mode so you can test.  Whatever you do, you should update the settings by running Postfix and then making any adjustments necessary by using the aa-logprof command.  This will make sure that your system is running effectively.

aa-logprof
Reading log entries from /var/log/messages.
Updating AppArmor profiles in /etc/apparmor.d.
Enforce-mode changes:

Profile:    /usr/sbin/postfix
Capability: sys_tty_config
Severity:   8

(A)llow / [(D)eny] / Abo(r)t / (F)inish
Adding capability sys_tty_config to profile.

Profile:  /usr/sbin/postfix
Path:     /etc/postfix/main.cf
Mode:     r
Severity: 3

[1 - /etc/postfix/main.cf]

(A)llow / [(D)eny] / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish
Adding /etc/postfix/main.cf r to profile.

Profile:  /usr/sbin/saslauthd
Path:     /var/spool/postfix/var/run/saslauthd/saslauthd.pid.lock
Mode:     w
Severity: unknown

[1 - /var/spool/postfix/var/run/saslauthd/saslauthd.pid.lock]

(A)llow / [(D)eny] / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish
Adding /var/spool/postfix/var/run/saslauthd/saslauthd.pid.lock w to profile.

= Changed Local Profiles =

The following local profiles were changed.  Would you like to save them?

[1 - /usr/sbin/postfix]
2 – /usr/sbin/saslauthd

(S)ave Changes / [(V)iew Changes] / Abo(r)t
Writing updated profile for /usr/sbin/postfix.
Writing updated profile for /usr/sbin/saslauthd.