NFTables, Mails

Hi,

I try to get a look at your solution but I have few questions.
First one is about filtering on the firewall.
I see the cs-netfilter-blocker but this one use iptables.
But since debian 10 now they recommend using nftables.

Other question, I see no collecitons about postfix, dovecot or other mails solutions.

It’s my job to go to the documentation and write everything needed (and eventually share it here) or do you have plan to write those tools ?

Thank you for your feedback.

For now the only way to filter is iptables, and you are right since debian buster, nftables is recommended. Debian documentation (https://wiki.debian.org/nftables) tells us that nftables is the default backend when using iptables with debian buster, so I guess nftables is used when using debian 10. Nevertheless we planned to develop the same tool for nft directly.

It’s true that there’s no mail collection for now, and we’ll definitely welcome any useful contribution. What are the scenarios you would see useful regarding mails ? Maybe if you have some logs you may share with us, we can collaborate to have some collections written.

Thx for the answer.
I use postfix, dovecot. I use fail2ban to block too many auth failures, too many connection without any action and maybe spam (have to check).
Like that :
connect from unknown[xxx]
lost connection after AUTH from unknown[xxx]
disconnect from unknown[xxx] ehlo=1 auth=0/1 commands=1/2

connect from xxx[xxx]
lost connection after CONNECT from xxx[xxx]
disconnect from xxx[xxx] commands=0/0

or the postfix and dovecot filter on fail2ban.

All that can block IP sending spam, trying to brute force or check for open relays.

And about nftables yes on debian 10 when you use iptable you really use nftables.
It’s juste to have a script who directly use nftables :slight_smile:

Ok,

We’ll try to provide some postfix scenarios very soon !

1 Like

HI,

We now have a postfix collection aimed at detecting spam attempt.

1 Like

oh nice, I will take a look at that.
My goal is to integer crowdsec to all my new server install with debian 11 during the 2021 summer.
I hope I will be able to replace fail2ban with that.

1 Like

Hi, can you add detection on the those event too ?

Oct 16 13:34:34 yoda postfix/smtpd[25340]: NOQUEUE: reject: RCPT from unknown[49.68.146.75]: 554 5.7.1 xxx@xxx: Relay access denied; from=ztqqdzea@iaqx.com to=xxx@xxx proto=ESMTP helo=<iaqx.com>

Oct 16 13:27:33 yoda postfix/smtpd[29340]: NOQUEUE: reject: RCPT from unknown[193.106.50.54]: 450 4.7.1 <Pool-6-193.106.50.54.o.kg>: Helo command rejected: Host not found; from=xxx@xxx to=xxx@xxx proto=ESMTP helo=<Pool-6-193.106.50.54.o.kg>

Oct 16 13:20:53 yoda postfix/smtpd[26160]: NOQUEUE: reject: RCPT from unknown[72.11.135.222]: 504 5.5.2 : Helo command rejected: need fully-qualified hostname; from=xxxx@xxx to=xxx@xxx proto=ESMTP helo=

After that I miss dovecot, and I will be able to make some test on production server.
Do you prefer the fail2ban config file or some error log ?

Ok, I’ll add these as soon as possible, and update here.

We really love to have feedback on our scenario’s usefulness.

1 Like

Hi, I just installed crowdsec on a new server, those rules are not in the filter.
Do you plan to update it ?
If you update the filter, will this be downloaded with the installer and the --upgrade option ?

Hi,

If I understand your question, you’re asking how to deploy the new postfix rules on a new box, aren’t you ?

The issue is that we don’t want to merge the postfix scenarios before it being well tested, to be sure it works well. It works for me, but I would really want your feedback before merging.

So for now you’ll access the postfix scenario using postfix branch of https://github.com/crowdsecurity/hub . So the only requirement is to use --branch postfix whenever you use cscli. Another caveat you mentionned is that the wizard is not aware of postfix service yet. This requires a crowdsec new version. I believe, it will be done soon…

Have I answered your question ?