From owner-freebsd-stable@freebsd.org Mon Jul 25 19:53:25 2016 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B3105BA1C9E for ; Mon, 25 Jul 2016 19:53:25 +0000 (UTC) (envelope-from karl@denninger.net) Received: from mail.denninger.net (denninger.net [70.169.168.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6DAE01A26 for ; Mon, 25 Jul 2016 19:53:25 +0000 (UTC) (envelope-from karl@denninger.net) Received: from [192.168.1.40] (Karl-Desktop.Denninger.net [192.168.1.40]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.denninger.net (Postfix) with ESMTPSA id 3DAAE1A000C for ; Mon, 25 Jul 2016 14:53:24 -0500 (CDT) Subject: Re: Postfix and tcpwrappers? To: freebsd-stable@freebsd.org References: <1308b751-450d-4c73-6a49-746d53031b11@digiware.nl> From: Karl Denninger Message-ID: Date: Mon, 25 Jul 2016 14:53:18 -0500 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: <1308b751-450d-4c73-6a49-746d53031b11@digiware.nl> Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-512; boundary="------------ms020206070103030601090608" X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jul 2016 19:53:25 -0000 This is a cryptographically signed message in MIME format. --------------ms020206070103030601090608 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 7/25/2016 14:48, Willem Jan Withagen wrote: > On 25-7-2016 19:32, Karl Denninger wrote: >> On 7/25/2016 12:04, Ronald Klop wrote: >>> On Mon, 25 Jul 2016 18:48:25 +0200, Karl Denninger >>> wrote: >>> >>>> This may not belong in "stable", but since Postfix is one of the >>>> high-performance alternatives to sendmail.... >>>> >>>> Question is this -- I have sshguard protecting connections inbound, = but >>>> Postfix appears to be ignoring it, which implies that it is not payi= ng >>>> attention to the hosts.allow file (and the wrapper that enables it.)= >>>> >>>> Recently a large body of clowncars have been targeting my sasl-enabl= ed >>>> https gateway (which I use for client machines and thus do in fact n= eed) >>>> and while sshguard picks up the attacks and tries to ban them, postf= ix >>>> is ignoring the entries it makes which implies it is not linked with= the >>>> tcp wrappers. >>>> >>>> A quick look at the config for postfix doesn't disclose an obvious >>>> configuration solution....did I miss it? >>>> >>> Don't know if postfix can handle tcp wrappers, but I use bruteblock >>> [1] for protecting connections via the ipfw firewall. I use this for >>> ssh and postfix. > Given the fact that both tcpwrappers and postfix originate from the sam= e > author (Wietse Venenma) I'd be very surprised it you could not do this.= > http://www.postfix.org/linuxsecurity-200407.html > > But grepping the binary for libwrap it does seems to be the case. > Note that you can also educate sshguard to actually use a script to do > whatever you want it to do. I'm using it to add rules to an ipfw table > that is used in a deny-rule. > > Reloading the fw keeps the deny-rules, flushing the table deletes all > blocked hosts without reloading the firewall. > Both times a bonus. > > --WjW > --WjW That's why I was surprised too... .but it is what it is. I just rebuilt sshguard to use an ipfw table instead of hosts.allow, since I use ipfw anyway for firewall/routing/ipsec/etc adding one line up near the top of my ruleset to match against the table and send back a reset (I'm considering black-holing attempts instead as that will slow the clowncar brigade down and thus "helps" others) and resolved the issue= =2E It's interesting that all of a sudden the clowncar folks figured out that if they hit my email server with SSL they could then attempt an auth. I have always had auth turned off for non-SSL connections for obvious reasons (passing passwords around plain is bad news, yanno) and until recently the clowns hadn't bothered with the overhead of setting up SSL connections. That appears to now have changed, so.... --=20 Karl Denninger karl@denninger.net /The Market Ticker/ /[S/MIME encrypted email preferred]/ --------------ms020206070103030601090608 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgMFADCABgkqhkiG9w0BBwEAAKCC Bl8wggZbMIIEQ6ADAgECAgEpMA0GCSqGSIb3DQEBCwUAMIGQMQswCQYDVQQGEwJVUzEQMA4G A1UECBMHRmxvcmlkYTESMBAGA1UEBxMJTmljZXZpbGxlMRkwFwYDVQQKExBDdWRhIFN5c3Rl bXMgTExDMRwwGgYDVQQDExNDdWRhIFN5c3RlbXMgTExDIENBMSIwIAYJKoZIhvcNAQkBFhND dWRhIFN5c3RlbXMgTExDIENBMB4XDTE1MDQyMTAyMjE1OVoXDTIwMDQxOTAyMjE1OVowWjEL MAkGA1UEBhMCVVMxEDAOBgNVBAgTB0Zsb3JpZGExGTAXBgNVBAoTEEN1ZGEgU3lzdGVtcyBM TEMxHjAcBgNVBAMTFUthcmwgRGVubmluZ2VyIChPQ1NQKTCCAiIwDQYJKoZIhvcNAQEBBQAD ggIPADCCAgoCggIBALmEWPhAdphrWd4K5VTvE5pxL3blRQPyGF3ApjUjgtavqU1Y8pbI3Byg XDj2/Uz9Si8XVj/kNbKEjkRh5SsNvx3Fc0oQ1uVjyCq7zC/kctF7yLzQbvWnU4grAPZ3IuAp 3/fFxIVaXpxEdKmyZAVDhk9az+IgHH43rdJRIMzxJ5vqQMb+n2EjadVqiGPbtG9aZEImlq7f IYDTnKyToi23PAnkPwwT+q1IkI2DTvf2jzWrhLR5DTX0fUYC0nxlHWbjgpiapyJWtR7K2YQO aevQb/3vN9gSojT2h+cBem7QIj6U69rEYcEDvPyCMXEV9VcXdcmW42LSRsPvZcBHFkWAJqMZ Myiz4kumaP+s+cIDaXitR/szoqDKGSHM4CPAZV9Yh8asvxQL5uDxz5wvLPgS5yS8K/o7zDR5 vNkMCyfYQuR6PAJxVOk5Arqvj9lfP3JSVapwbr01CoWDBkpuJlKfpQIEeC/pcCBKknllbMYq yHBO2TipLyO5Ocd1nhN/nOsO+C+j31lQHfOMRZaPQykXVPWG5BbhWT7ttX4vy5hOW6yJgeT/ o3apynlp1cEavkQRS8uJHoQszF6KIrQMID/JfySWvVQ4ksnfzwB2lRomrdrwnQ4eG/HBS+0l eozwOJNDIBlAP+hLe8A5oWZgooIIK/SulUAsfI6Sgd8dTZTTYmlhAgMBAAGjgfQwgfEwNwYI KwYBBQUHAQEEKzApMCcGCCsGAQUFBzABhhtodHRwOi8vY3VkYXN5c3RlbXMubmV0Ojg4ODgw CQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBaAwCwYDVR0PBAQDAgXgMCwGCWCGSAGG+EIB DQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUxRyULenJaFwX RtT79aNmIB/u5VkwHwYDVR0jBBgwFoAUJHGbnYV9/N3dvbDKkpQDofrTbTUwHQYDVR0RBBYw FIESa2FybEBkZW5uaW5nZXIubmV0MA0GCSqGSIb3DQEBCwUAA4ICAQBPf3cYtmKowmGIYsm6 eBinJu7QVWvxi1vqnBz3KE+HapqoIZS8/PolB/hwiY0UAE1RsjBJ7yEjihVRwummSBvkoOyf G30uPn4yg4vbJkR9lTz8d21fPshWETa6DBh2jx2Qf13LZpr3Pj2fTtlu6xMYKzg7cSDgd2bO sJGH/rcvva9Spkx5Vfq0RyOrYph9boshRN3D4tbWgBAcX9POdXCVfJONDxhfBuPHsJ6vEmPb An+XL5Yl26XYFPiODQ+Qbk44Ot1kt9s7oS3dVUrh92Qv0G3J3DF+Vt6C15nED+f+bk4gScu+ JHT7RjEmfa18GT8DcT//D1zEke1Ymhb41JH+GyZchDRWtjxsS5OBFMzrju7d264zJUFtX7iJ 3xvpKN7VcZKNtB6dLShj3v/XDsQVQWXmR/1YKWZ93C3LpRs2Y5nYdn6gEOpL/WfQFThtfnat HNc7fNs5vjotaYpBl5H8+VCautKbGOs219uQbhGZLYTv6okuKcY8W+4EJEtK0xB08vqr9Jd0 FS9MGjQE++GWo+5eQxFt6nUENHbVYnsr6bYPQsZH0CRNycgTG9MwY/UIXOf4W034UpR82TBG 1LiMsYfb8ahQJhs3wdf1nzipIjRwoZKT1vGXh/cj3gwSr64GfenURBxaFZA5O1acOZUjPrRT n3ci4McYW/0WVVA3lDGCBRMwggUPAgEBMIGWMIGQMQswCQYDVQQGEwJVUzEQMA4GA1UECBMH RmxvcmlkYTESMBAGA1UEBxMJTmljZXZpbGxlMRkwFwYDVQQKExBDdWRhIFN5c3RlbXMgTExD MRwwGgYDVQQDExNDdWRhIFN5c3RlbXMgTExDIENBMSIwIAYJKoZIhvcNAQkBFhNDdWRhIFN5 c3RlbXMgTExDIENBAgEpMA0GCWCGSAFlAwQCAwUAoIICTTAYBgkqhkiG9w0BCQMxCwYJKoZI hvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNjA3MjUxOTUzMThaME8GCSqGSIb3DQEJBDFCBEA/ djBMbJydA9M4CynnFVgUZmiBXy6HgZtlCFBZTylX9VmzlbHzncFSUSPeY6VxBCx1mWkAFish HzLpQ4hngT+wMGwGCSqGSIb3DQEJDzFfMF0wCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBAjAK BggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYI KoZIhvcNAwICASgwgacGCSsGAQQBgjcQBDGBmTCBljCBkDELMAkGA1UEBhMCVVMxEDAOBgNV BAgTB0Zsb3JpZGExEjAQBgNVBAcTCU5pY2V2aWxsZTEZMBcGA1UEChMQQ3VkYSBTeXN0ZW1z IExMQzEcMBoGA1UEAxMTQ3VkYSBTeXN0ZW1zIExMQyBDQTEiMCAGCSqGSIb3DQEJARYTQ3Vk YSBTeXN0ZW1zIExMQyBDQQIBKTCBqQYLKoZIhvcNAQkQAgsxgZmggZYwgZAxCzAJBgNVBAYT AlVTMRAwDgYDVQQIEwdGbG9yaWRhMRIwEAYDVQQHEwlOaWNldmlsbGUxGTAXBgNVBAoTEEN1 ZGEgU3lzdGVtcyBMTEMxHDAaBgNVBAMTE0N1ZGEgU3lzdGVtcyBMTEMgQ0ExIjAgBgkqhkiG 9w0BCQEWE0N1ZGEgU3lzdGVtcyBMTEMgQ0ECASkwDQYJKoZIhvcNAQEBBQAEggIAOIhrCtJb ChjARar0FFkplQNW69meqjdV4izTtKptfphmVxMzPDjjD1JpcdqtLZzi5UqICqjv+pfH91C4 shwvw/RII/2jyXl3lgPrtSAod7JwccQdMUNGj66X7FsqBULIDNOZ9EZJTP8Gy0u/N4NgAvst c+MsBjj7sZ4ueIBsUIo4jxd++KMRnx0WGDG0dZmqYVCvgxz2RMnSuqG7CCc66TtXNEipySl1 Zu3LoQi2UZgfVlTFy4tdL5ae5N5vBaVwptVcCp0nK/4T549MJXmHLQiCqLxZPSoH+tADi24A Y6m5AYXt2+Kopsre/F0vXUa7ZyWCRCUmZebyp6ZI7FUeqZ2HTi2rM6Uji7YMBWjBvf3XJK1t ZB///Vib+kbpuoTqPuAYK0Qr/kPerp4G4v0HQK75AmHFJGKGmpFl4zj2845ajAeryOLArayd IW7u7cILitKx4xpbiDr/W6x17Mgh/2/QMEa539FSS+5ldXmV8teL3qnzDSRPcpm2iXbSc0ca S6ld6CrpWyWaofuGy6fMuEXHDOnTyp3UdjHm0YhcMkSkOYHotgvG8/amIEVZxLoGpOGCg5fy P485HPvDMTjOa77+uqSwHUgo+2T9lrphHqwnSYlA7AzxTo6MchZyEDIPArvN7fNhC/s1ks0t WpxUadcShUVWCqs4YIWTLJetUJ4AAAAAAAA= --------------ms020206070103030601090608--