Currently I'm reducing failed authentication spam in logs by blocking access to Dovecot and SSHD based on the IP address country of origin. Both services require authentication and I have no users or automation needing access, outside a rather small list of countries.
This is done using a tcpwrappers' aclcheck
and a shell script being passed %a
and invoking geoiplookup
(or geoiplookup6
) binary that I happen to have installed on my system. All set up with /etc/hosts.allow
, /etc/hosts.deny
.
This is enough to get rid of most failed logins.
Postfix, despite being authored by the same person as tcpwrappers, does not do tcpwrappers -- at least in Debian, its various binaries are not linked against libwrap.so
.
iptables
is, to my knowledge, not applicable; I don't believe it can ask a userspace binary to determine whether an IP packet (such as TCP SYN) should be accepted or rejected.
Is there a convenient way to either make Postfix's daemons that listen for TCP connections, such as master
, make use of hosts.allow
/hosts.deny
? Is tcpd
an answer? How would one make proper use of it?
I'm interested in blocking just the smtps
and submission
ports -- those that allow authentication (and thus allow post-authentication relaying) -- based on the country of origin.