I try to get a look at your solution but I have few questions.
First one is about filtering on the firewall.
I see the cs-netfilter-blocker but this one use iptables.
But since debian 10 now they recommend using nftables.
Other question, I see no collecitons about postfix, dovecot or other mails solutions.
It’s my job to go to the documentation and write everything needed (and eventually share it here) or do you have plan to write those tools ?
For now the only way to filter is iptables, and you are right since debian buster, nftables is recommended. Debian documentation (https://wiki.debian.org/nftables) tells us that nftables is the default backend when using iptables with debian buster, so I guess nftables is used when using debian 10. Nevertheless we planned to develop the same tool for nft directly.
It’s true that there’s no mail collection for now, and we’ll definitely welcome any useful contribution. What are the scenarios you would see useful regarding mails ? Maybe if you have some logs you may share with us, we can collaborate to have some collections written.
Thx for the answer.
I use postfix, dovecot. I use fail2ban to block too many auth failures, too many connection without any action and maybe spam (have to check).
Like that :
connect from unknown[xxx]
lost connection after AUTH from unknown[xxx]
disconnect from unknown[xxx] ehlo=1 auth=0/1 commands=1/2
connect from xxx[xxx]
lost connection after CONNECT from xxx[xxx]
disconnect from xxx[xxx] commands=0/0
or the postfix and dovecot filter on fail2ban.
All that can block IP sending spam, trying to brute force or check for open relays.
And about nftables yes on debian 10 when you use iptable you really use nftables.
It’s juste to have a script who directly use nftables
oh nice, I will take a look at that.
My goal is to integer crowdsec to all my new server install with debian 11 during the 2021 summer.
I hope I will be able to replace fail2ban with that.
Hi, I just installed crowdsec on a new server, those rules are not in the filter.
Do you plan to update it ?
If you update the filter, will this be downloaded with the installer and the --upgrade option ?
If I understand your question, you’re asking how to deploy the new postfix rules on a new box, aren’t you ?
The issue is that we don’t want to merge the postfix scenarios before it being well tested, to be sure it works well. It works for me, but I would really want your feedback before merging.
So for now you’ll access the postfix scenario using postfix branch of https://github.com/crowdsecurity/hub . So the only requirement is to use --branch postfix whenever you use cscli. Another caveat you mentionned is that the wizard is not aware of postfix service yet. This requires a crowdsec new version. I believe, it will be done soon…