Currently I'm reducing failed authentication spam in logs by blocking access to Dovecot and SSHD based on the IP address country of origin. Both services require authentication and I have no users or automation needing access, outside a rather small list of countries.
This is done using a tcpwrappers' aclcheck and a shell script being passed %a and invoking geoiplookup (or geoiplookup6) binary that I happen to have installed on my system. All set up with /etc/hosts.allow, /etc/hosts.deny.
This is enough to get rid of most failed logins.
Postfix, despite being authored by the same person as tcpwrappers, does not do tcpwrappers -- at least in Debian, its various binaries are not linked against libwrap.so.
iptables is, to my knowledge, not applicable; I don't believe it can ask a userspace binary to determine whether an IP packet (such as TCP SYN) should be accepted or rejected.
Is there a convenient way to either make Postfix's daemons that listen for TCP connections, such as master, make use of hosts.allow/hosts.deny? Is tcpd an answer? How would one make proper use of it?
I'm interested in blocking just the smtps and submission ports -- those that allow authentication (and thus allow post-authentication relaying) -- based on the country of origin.
Actually you can use the netfilter (
iptables) NFQUEUE to have an external program evaluate packets/connections.I'm usually on RHEL and CentOS and download the ip-ranges in CIDR format and then use
ipsetto create a relatively efficient white- or blacklist iniptables.But when you're on for instance Debian/Ubuntu you can easily install the
xt_geoipmodule from the package xtables-addons-dkms to get GeoIP capabilities for your netfilter iptables firewall:Install the package:
Download the Geo IP source data and build the binary database:
And then add country aware geoip firewall rules as needed:
of if you prefer: